64-93
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 64 General VPN Setup
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > General > Basic
On the Add or Edit Tunnel Group dialog box for Site-to-Site Remote Access, the General, Basic dialog
box you can specify a name for the tunnel group that you are adding (Add function only) and select the
group policy.
On the Edit Tunnel Group dialog box, the General dialog box displays the name and type of the tunnel
group you are modifying.
Fields
• Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is
display-only.
• Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of
this field depend on your selection on the previous dialog box.
• Group Policy—Lists the currently configured group policies. The default value is the default group
policy, DfltGrpPolicy.
• Strip the realm (administrative domain) from the username before passing it on to the AAA
server—Enables or disables stripping the realm from the username before passing the username on
to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username
during authentication. You can append the realm name to the username for AAA: authorization,
authentication and accounting. The only valid delimiter for a realm is the @ character. The format
is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box,
authentication is based on the username alone. Otherwise, authentication is based on the full
username@realm string. You must check this box if your server is unable to parse delimiters.
Note You can append both the realm and the group to a username, in which case the adaptive security
appliance uses parameters configured for the group and for the realm for AAA functions. The
format for this option is username[@realm]]<#or!>group], for example,
JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or !
character for the group delimiter because the adaptive security appliance cannot interpret the @
as a group delimiter if it is also present as the realm delimiter.
A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize
the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are
in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.
The adaptive security appliance does not include support for the user@grouppolicy, as the VPN
3000 Concentrator did. Only the L2TP/IPsec client supports the tunnel switching via
user@tunnelgroup.
• Strip the group from the username before passing it on to the AAA server—Enables or disables
stripping the group name from the username before passing the username on to the AAA server.
Check Strip Group to remove the group name from the username during authentication. This option
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——
To Next Page
Loading...
Need help?
General
