Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
10
Helpful
4
Replies

GROUP POLICY FOR DEFAULT TUNNEL-GROUP

Alfredcfc
Level 1
Level 1

‎10-22-2019 12:20 PM

If I am not wrong the group policies are mapped to the connection profiles (tunnel-groups) and they applied to the users based on the group they choose in the cisco any client software.

 

So what happens to the group policies which are not part of any tunnel-groups?.

Why such a weird question because i found some group policies not being called in any tunnel-groups.

 

Does that mean these group policies are not being used at all?. or Are they mapped to their respective "DEFAULT" tunnel-group type.

 

 

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-22-2019 12:36 PM

They could be left over from a previous configuration where they had an associated tunnel-group.

If no current tunnel-group specifies them they are likely extraneous and can be removed. (You cannot remove the default group policy, even if it's not currently used.)

Rob Ingram
VIP
VIP

‎10-22-2019 12:38 PM

Hi,
If you don't specifically define a group policy in a tunnel-group, you would be using the default group policy "DfltGrpPolicy". You would need to use the command "show run ALL tunnel-group", which would reveal the actual group policy in use by the tunnel-group. The command "show run tunnel-group" would not reveal this.

Group Policies do not explicitly need to be referenced in the tunnel-group/connection profile, if using a RADIUS server for authorisation the Group Policy could be dynamically applied to a users session. So those group policies may in fact be in use.

HTH

Alfredcfc
Level 1
Level 1
In response to Rob Ingram

‎10-29-2019 02:41 AM

Can tell me if there's any links to this type of configuration or how to check if the group policies are mapped to users ?.

0 Helpful

bern81
Level 1
Level 1
In response to Alfredcfc

‎10-29-2019 02:53 AM

Hi Alfred,

Group-policy that are not attached to any tunnel-group will not be in use (you can delete them).

users who does not match any tunnel-group will be assigned the Defaultwebvpngroup which is maped to the dfltgrouppolicy.

you can check each user to what tunnel-group and group-policy he is assigned by issuing this cmd from cli:

 

W01/pri/act# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : ar010 Index : 13412
Assigned IP : 10.0.15.142 Public IP : x.x.x.x
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 893560189 Bytes Rx : 272695893
Group Policy : GP-SSL-All Tunnel Group : TG-SSL-Internal

Please rate if answer is helpful.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card