We use Anyconnect for our Remote Access solution and one of the issues I have is with other admins not putting people into the right groups or not putting them into groups at all. So then what happens is they get stuck into the DfltGrpPolicy, which is definitely not where I want them since that doesn’t have the customization for each of the different groups.
Since Mcafee Enterprise Security Manager is monitoring my ASA and all of the logs are going to it, building an alert to notify me when people are in this group shouldn’t be an issue. Here is what we are going to do:
Identify the group, in this case I want to know when people get assigned the DfltGrpPolicy policy.
Now what we are going to do is build an alarm that fires when it sees DfltGrpPolicy in the object field. Since no one should be pulling this group for any reason anyone that is in it is misconfigured and needs to be moved to the appropriate group.
1. Go to System Properties and then click on Alarms
2. Choose an assignee and give the alarm a name.
3. Choose, Type: Field Match, Field: Object, Value: DfltGrpPolicy, Select your device of your Cisco ASA.
4. Choose your actions, in my case I am going to have it email when it sees that. I am also going to customize the template so it only sends me the relevant information, such as user misconfigured and group they are in.
5. I leave Escalation blank
6. Click Finish and you are done.
Now sit back and admire your work and you should now be alerted for people misconfigured.
Breathe Underwater 