Pages

Tuesday, December 1, 2015

VPN Profiles and Policies


Connection Profiles
SSL connection means connection with TCP using port 443
Connection profile i.e. Tunnel group controls pre-logon policy

How ASA authenticates user?
1.User sends packets to initiate VPN
2. Check for URL, Alias or Cert linked to custom connection profile
If present -> use custom connection profile
If not -> use default connection profiles. If SSL, use DefaultWebVPN Group. If Ipsec use DefaultRA Group

We can modify defaultwebvpn and defaultRA group but we can’t delete.

3. Based on the connection profile select:
Authentication method (LOACAL, AAA, cert)
Ip address assignment method (not for Clientless)
DNS server to use

Post logon policies: Once the user is authenticated
Permissions, authorizations, restrictions, etc.
What all polices are applied to VPN?
Top down match
DAP rules
User Profile Rules
User Profile Group Rules
Connection Profile Group rules
DfltgrpPolicy Group rules

No comments:

Post a Comment