CCNP Security VPN Cert Guide: Configuring Policies, Inheritance, and Attributes
This chapter covers the following subjects:
- Policies and Their Relationships: In this section, we review the available policies that can be applied during a VPN connection and how they work together to form the overall policy applied to a remote user.
- Understanding Connection Profiles: In this section, we discuss the role of connection profiles, their configuration elements, and how they are applied to remote users.
- Understanding Group Policies: In this section, we discuss the role of group policies for attribute assignment and control of your remote users.
- Configure User Attributes: In this section, we review the creation of a user account and take a look at the available parameters and attributes that can be assigned to an individual remote user.
- Using External Servers for AAA and Policy Assignment: In this section, we discuss the role of AAA servers and briefly cover their configuration and how we can deploy policies through them.
An important part of the deployment of a Secure Sockets Layer (SSL) or IPsec virtual private network (VPN) connection is the use of policies to allow access to resources through the VPN tunnel and the ability to control the access granted to those resources, whether this is based on the user and their internal group membership or department, the site and specific resources they are accessing, or role in the company.
We are given a wide range of options that can be configured and specified using the available policy set in the Adaptive Security Appliance (ASA), allowing us to take a very granular approach to allow or deny access based on a user's attributes. Furthermore, if a user is a member of multiple groups in the business, we can assign multiple policies, resulting in the inheritance of higher-level policies and only the more specific attributes being directly assigned.
In this chapter, we take a look at the methods available for policy assignment both in real-life scenarios and throughout this book. We then review how these policy methods work together if more than one is assigned to a user through the inheritance mode.
"Do I Know This Already?" Quiz
The "Do I Know This Already?" quiz helps you determine your level of knowledge on this chapter's topics before you begin. Table 2-1 details the major topics discussed in this chapter and their corresponding quiz sections.
Table 2-1. "Do I Know This Already?" Section-to-Question Mapping
Foundation Topics Section
Policies and Their Relationships
Understanding Connection Profiles
Understanding Group Policies
Using External Servers for AAA and Policy Assignment
- Which of the following are available methods of assigning a connection profile? (Choose all that apply.)
- User connection profile lock
- Certificate to connection profile maps
- User choice using a menu in either clientless or full-tunnel VPN
- All of the above
- Which of the following policy types take precedence over all others configured based on the ASA policy hierarchy?
- Group policy
- Connection profile
- User attributes
- Which two of the following are the default connection profiles that exist on the ASA device?
- Which of the following objects can be used for post-login policy assignment? (Choose all that apply.)
- Connection profiles
- User attributes
- Group policies
- Which of the following are valid group policy types?
- When configuring external group policies, which AAA protocols or servers can you use for authorization?