cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


276
Views
10
Helpful
4
Replies
Beginner

GROUP POLICY FOR DEFAULT TUNNEL-GROUP

If I am not wrong the group policies are mapped to the connection profiles (tunnel-groups) and they applied to the users based on the group they choose in the cisco any client software.

 

So what happens to the group policies which are not part of any tunnel-groups?.

Why such a weird question because i found some group policies not being called in any tunnel-groups.

 

Does that mean these group policies are not being used at all?. or Are they mapped to their respective "DEFAULT" tunnel-group type.

 

 

Everyone's tags (1)
4 REPLIES 4
Hall of Fame Guru

Re: GROUP POLICY FOR DEFAULT TUNNEL-GROUP

They could be left over from a previous configuration where they had an associated tunnel-group.

If no current tunnel-group specifies them they are likely extraneous and can be removed. (You cannot remove the default group policy, even if it's not currently used.)

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: GROUP POLICY FOR DEFAULT TUNNEL-GROUP

Hi,
If you don't specifically define a group policy in a tunnel-group, you would be using the default group policy "DfltGrpPolicy". You would need to use the command "show run ALL tunnel-group", which would reveal the actual group policy in use by the tunnel-group. The command "show run tunnel-group" would not reveal this.

Group Policies do not explicitly need to be referenced in the tunnel-group/connection profile, if using a RADIUS server for authorisation the Group Policy could be dynamically applied to a users session. So those group policies may in fact be in use.

HTH
Beginner

Re: GROUP POLICY FOR DEFAULT TUNNEL-GROUP

Can tell me if there's any links to this type of configuration or how to check if the group policies are mapped to users ?.

Beginner

Re: GROUP POLICY FOR DEFAULT TUNNEL-GROUP

Hi Alfred,

Group-policy that are not attached to any tunnel-group will not be in use (you can delete them).

users who does not match any tunnel-group will be assigned the Defaultwebvpngroup which is maped to the dfltgrouppolicy.

you can check each user to what tunnel-group and group-policy he is assigned by issuing this cmd from cli:

 

W01/pri/act# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : ar010 Index : 13412
Assigned IP : 10.0.15.142 Public IP : x.x.x.x
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 893560189 Bytes Rx : 272695893
Group Policy : GP-SSL-All Tunnel Group : TG-SSL-Internal

Please rate if answer is helpful.