Two of the most overloaded terms in Cisco ASA VPN configuration are group-policy and tunnel-group. They sound similar, they are configured in the same area, and they both apply attributes to a connecting client. The difference between them is genuinely important: tunnel-groups are the named connection profiles users select; group-policies are the bundle of attributes the gateway pushes to the client once it picks a connection profile. This article breaks both apart, walks the inheritance chain that drives final attribute resolution, and shows real running-config from a live ASAv 9.23(1) in the PingLabz ASA reference lab.
If you have already worked through Cisco ASA AnyConnect SSL VPN Configuration, much of the configuration appearing below will look familiar. Here we treat the two objects as the unit of study, not the side-effect of a connection setup.
Tunnel-Group vs Group-Policy in One Table
| Object | What it is | What it controls | Bound to |
|---|---|---|---|
| Tunnel-group (connection profile) | The named connection profile a client selects (or is steered into via group-url / group-alias). | How the client authenticates and where it connects: AAA servers, IP pool, default group-policy, certificate map mapping rules. | A specific client connection. There is one tunnel-group per "way of connecting". |
| Group-policy | A reusable bundle of client attributes. | What the client sees once connected: DNS, split-tunnel ACL, banner, allowed protocols, idle timeout, ACL filter, DPD intervals. | Pulled in by tunnel-group's default-group-policy, or pushed per-user from AAA, or inherited. |
One way to keep them straight: tunnel-group is the door (which entrance the client uses), group-policy is the room (what the client finds once inside).
Tunnel-Group Types
Three types exist, and you must specify the type at creation:
| Type | Use |
|---|---|
remote-access | AnyConnect (SSL or IKEv2), legacy IPsec client. The 90% case for client VPN. |
ipsec-l2l | Site-to-site (LAN-to-LAN) IPsec. The tunnel-group name is the peer's IP address. |
webvpn | Clientless SSL VPN portals. Largely deprecated in favor of AnyConnect. |
From our lab, show running-config tunnel-group shows all three patterns:
ASA-PERIM# show running-config tunnel-group
tunnel-group SSL_PROFILE type remote-access
tunnel-group SSL_PROFILE general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS-VPN LOCAL
authorization-server-group LDAP-VPN
accounting-server-group RADIUS-VPN
default-group-policy ANYCONNECT-SSL-GP
tunnel-group SSL_PROFILE webvpn-attributes
group-alias EMPLOYEES enable
group-url https://203.0.113.2/employees enable
tunnel-group IKEV2_PROFILE type remote-access
tunnel-group IKEV2_PROFILE general-attributes
address-pool VPN-POOL
default-group-policy ANYCONNECT-IKEV2-GP
tunnel-group IKEV2_PROFILE ipsec-attributes
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificate PINGLABZ-SELFSIGNED
tunnel-group 203.0.113.6 type ipsec-l2l
tunnel-group 203.0.113.6 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Three tunnel-groups, three patterns. SSL_PROFILE and IKEV2_PROFILE are remote-access tunnel-groups for AnyConnect SSL and IKEv2 respectively. 203.0.113.6 is a site-to-site tunnel-group whose name is the literal IP of the peer ASA.
The Three Attribute Blocks
A tunnel-group can have up to three sub-blocks of attributes. Which ones apply depends on the tunnel-group type.
| Sub-block | Available on | Controls |
|---|---|---|
general-attributes | All types | AAA server groups, IP pool, default group-policy, accounting, NAC. |
webvpn-attributes | remote-access, webvpn | group-alias, group-url, customization, login banner. |
ipsec-attributes | remote-access, ipsec-l2l | IKEv1/IKEv2 PSK, IKEv2 cert auth, peer-id-validate, isakmp keepalive. |
The split-by-purpose layout means you do not see ipsec-attributes on a webvpn (clientless) tunnel-group, and you do not see webvpn-attributes on a site-to-site tunnel-group. The CLI hides what does not apply.
The Default Tunnel-Groups
The ASA ships with two default tunnel-groups that you cannot delete:
| Default tunnel-group | Used when |
|---|---|
DefaultRAGroup | An AnyConnect / RA client connects without selecting a group-alias and without matching a group-url. The catch-all for remote access. |
DefaultL2LGroup | A site-to-site IPsec peer initiates and the local ASA does not have a tunnel-group named after the peer's IP. Catch-all for L2L. |
You can edit these (set their default-group-policy, set a PSK on DefaultL2LGroup) but you cannot remove them. Most production deployments leave them with no AAA configured so that anonymous catch-all logins fail by default.
Group-Policy Anatomy
A group-policy is a bag of attributes pushed to the client. Some are universal (DNS, idle timeout); some are protocol-specific (the SSL DTLS settings only apply to SSL clients).
From our lab:
ASA-PERIM# show running-config group-policy
group-policy DfltGrpPolicy attributes
dns-server value 10.10.0.10
default-domain value pinglabz.lab
group-policy ANYCONNECT-SSL-GP internal
group-policy ANYCONNECT-SSL-GP attributes
dns-server value 10.10.0.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value pinglabz.lab
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl rekey time 60
anyconnect ssl rekey method new-tunnel
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
group-policy ANYCONNECT-IKEV2-GP internal
group-policy ANYCONNECT-IKEV2-GP attributes
dns-server value 10.10.0.10
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value pinglabz.lab
Three group-policies are visible:
DfltGrpPolicy: the system default. It exists whether you configure it or not. You can set its attributes (and we did, withdns-server+default-domain) but the policy itself cannot be deleted.ANYCONNECT-SSL-GP: a custom group-policy bound to the SSL_PROFILE tunnel-group. It permits only ssl-client transport, sets a split-tunnel ACL, and configures SSL-specific attributes inside thewebvpnsub-block.ANYCONNECT-IKEV2-GP: a custom group-policy bound to the IKEV2_PROFILE tunnel-group. Same DNS / domain / split-tunnel ACL but withvpn-tunnel-protocol ikev2and nowebvpnsub-block (because SSL-specific attributes do not apply to an IKEv2 client).
Internal vs External Group-Policies
Notice the internal keyword in group-policy ANYCONNECT-SSL-GP internal. ASA group-policies have two storage types:
- Internal: defined locally on the ASA. The attributes are stored in the ASA config. This is the common case.
- External: the attributes are pulled from an external AAA server (LDAP or RADIUS) on a per-user basis at login. The local config only declares the policy name and the AAA server group to consult.
External group-policies are useful when you want to centralize VPN attributes in your directory. The trade-off is that every connection involves a directory lookup, and you have to map LDAP / RADIUS attributes to ASA attribute names (the ldap attribute-map mechanism). Most deployments keep group-policies internal and use AAA only for authentication and authorization.
The Inheritance Chain (Where Attributes Actually Come From)
For any single connecting user, attributes are resolved in this order, with later sources overriding earlier ones:
- DfltGrpPolicy: the floor. Every user gets these attributes unless something else overrides them.
- Tunnel-group's
default-group-policy: overrides DfltGrpPolicy for any user landing in this tunnel-group. - User-specific group-policy from AAA: if the AAA server (RADIUS or LDAP) returns a
Group-Policyattribute, that policy's attributes override the tunnel-group default for this specific user. - User attributes from AAA: per-user attributes (banner, framed-IP-address, ACL filter) returned by the AAA server override anything in the group-policies.
- Dynamic Access Policy (DAP): applied last. DAP records can override anything from steps 1-4 based on a wide set of selectors (AAA attributes + endpoint posture + connection attributes). Full detail in Cisco ASA Dynamic Access Policies (DAP).
The implication: if a user reports a different DNS server than what is configured in their group-policy, check whether AAA is pushing back an override or whether a DAP record is firing. Both happen silently and only show in show vpn-sessiondb anyconnect detail after the fact.
AAA Server Groups on the Tunnel-Group
The tunnel-group's general-attributes sub-block specifies which AAA server group performs each function:
tunnel-group SSL_PROFILE general-attributes
authentication-server-group RADIUS-VPN LOCAL
authorization-server-group LDAP-VPN
accounting-server-group RADIUS-VPN
default-group-policy ANYCONNECT-SSL-GP
Three independent functions, often pointing at different server groups:
- Authentication: who is the user? RADIUS verifies the password. The trailing
LOCALsays fall back to the local username database if RADIUS is unreachable. - Authorization: what can this user do? LDAP returns group memberships and per-user attributes that map to the ASA's group-policy attributes.
- Accounting: log the session. RADIUS receives Accounting-Start when the user connects and Accounting-Stop when they disconnect, with byte counts and session duration.
The full AAA configuration for each protocol is in Cisco ASA AAA for VPN: LDAP, RADIUS, and TACACS+.
Site-to-Site Tunnel-Groups Are Different
For site-to-site IPsec, the tunnel-group name is the peer's IP address (or hostname). When a peer initiates and presents that source IP, the ASA looks up a tunnel-group of that name to find the PSK or trustpoint to use.
tunnel-group 203.0.113.6 type ipsec-l2l
tunnel-group 203.0.113.6 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
The PSK is hidden in the show output. The tunnel-group has no general-attributes block configured because L2L tunnels do not need an IP pool, AAA, or a default group-policy; the policy attributes are baked into the crypto map and the IPsec proposal.
Key Takeaways
The tunnel-group is the named connection profile (the door). The group-policy is the bag of attributes pushed to the client (the room). They are linked by the tunnel-group's default-group-policy attribute. Most deployments have one tunnel-group per transport (SSL, IKEv2, L2L) with a matching group-policy, plus a per-OU tunnel-group for distinct authorization profiles.
The attribute-resolution chain runs DfltGrpPolicy > tunnel-group default > AAA-returned group-policy > AAA per-user attributes > DAP. When attribute behavior is surprising, walk the chain in show vpn-sessiondb anyconnect detail to find which layer is actually pushing the value.
For the full Cisco ASA reference, including site-to-site IPsec, NAT, ACLs, failover, and the troubleshooting tools, see the Cisco ASA pillar. For the AAA wiring that ties tunnel-groups to a directory, see Cisco ASA AAA for VPN: LDAP, RADIUS, and TACACS+; for the runtime override layer, see Cisco ASA Dynamic Access Policies (DAP).
