Specifications

ManualsBrandsCisco ManualsHome building and DecorPIX 525

421

422

423

424

425

426

427

428

429

430

25-12

Cisco Security Appliance Command Line Configuration Guide

OL-6721-01

Chapter 25 Configuring Tunnel Groups, Group Policies, and Users

Group Policies

You can modify the default group policy, and you can also create one or more group policies specific to

your environment.

Configuring Group Policies

A group policy can apply to either remote-access or LAN-to-LAN IPSec tunnels. In each case, if you do

not explicitly define a parameter, the group takes the value from the default group policy. To configure

a group policy, follow these steps:

Step 1 Specify a name and type (internal or external) for the group policy:

hostname(config)# group-policy

group_policy_name

type

For example, the following command specifies that the group policy is named “GroupPolicy1” and that

its type is internal:

hostname(config)# group-policy GroupPolicy1 internal

The default type is internal.

You can initialize the attributes of an internal group policy to the values of a preexisting group policy by

appending the keyword from and specifying the name of the existing policy:

hostname(config)# group-policy

group_policy_name

internal from

group_policy_name

For an external group policy, you must identify the AAA server group that the security appliance can

query for attributes and specify the password to use when retrieving attributes from the external AAA

server group, as follows:

hostname(config)# group-policy

name

external

server-group

server_group

password

server

password

}

Note For an external group policy, RADIUS is the only supported AAA server type.

Step 2 Enter the group-policy attributes mode, using the group-policy attributes command in global

configuration mode.

hostname(config)# group-policy

name

attributes

hostname(config-group-policy)#

The prompt changes to indicate the mode change. The group-policy-attributes mode lets you configure

attribute-value pairs for a specified group policy. In group-policy-attributes mode, explicitly configure

the attribute-value pairs that you do not want to inherit from the default group. The commands to do this

are described in the following steps.

Step 3 Specify the primary and secondary WINS servers:

hostname(config-group-policy)# wins-server value {ip_address [

ip_address

] | none}

The first IP address specified is that of the primary WINS server. The second (optional) IP address is

that of the secondary WINS server. Specifying the none keyword instead of an IP address sets WINS

servers to a null value, which allows no WINS servers and prevents inheriting a value from a default or

specified group policy.