Hierarchy of Policy Enforcement of Permissions and Attributes in Threat Defense

The threat defense device supports applying user authorization attributes, also called user entitlements or permissions, to VPN connections. The attributes are applied from a DAP on the threat defense, external authentication server and/or authorization AAA server (RADIUS) or from a group policy on the threat defense device.

If the threat defense device receives attributes from all sources, the device evaluates, merges, and applies the attributes to the user policy. If there are conflicts between attributes coming from the DAP, the AAA server, or the group policy, the attributes from the DAP always take precedence.

The threat defense device applies attributes in the following order:

Policy Enforcement Flow
  1. DAP attributes on the FTD—The DAP attributes take precedence over all others.

  2. User attributes on the external AAA server—The server returns these attributes after successful user authentication and/or authorization.

  3. Group policy configured on the FTD —If a RADIUS server returns the value of the RADIUS Class attribute IETF-Class-25 (OU= group-policy) for the user, the threat defense device places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.

  4. Group policy assigned by the Connection Profile (also known as Tunnel Group)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy that is applied to the user before authentication.

Note
The threat defense device does not support inheriting system default attributes from the default group policy, DfltGrpPolicy. For the user session, the device uses the attributes on the group policy that you assign to the connection profile, unless the user attributes or the group policy from the AAA server overrides them.