64-94
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 64 General VPN Setup
Mapping Certificates to IPsec or SSL VPN Connection Profiles
is meaningful only when you have also checked the Enable Group Lookup box. When you append
a group name to a username using a delimiter, and enable Group Lookup, the adaptive security
appliance interprets all characters to the left of the delimiter as the username, and those to the right
as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the
default for Group Lookup. You append the group to the username in the format
username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup,
JaneDoe#VPNGroup, and JaneDoe!VPNGroup.
• Password Management—Lets you configure parameters relevant to overriding an account-disabled
indication from a AAA server and to notifying users about password expiration.
–
Override account-disabled indication from AAA server—Overrides an account-disabled
indication from a AAA server.
Note Allowing override account-disabled is a potential security risk.
–
Enable notification upon password expiration to allow user to change password—Checking this
check box makes the following two parameters available. If you do not also check the Enable
notification prior to expiration check box, the user receives notification only after the password
has expired.
–
Enable notification prior to expiration—When you check this option, the adaptive security
appliance notifies the remote user at login that the current password is about to expire or has
expired, then offers the user the opportunity to change the password. If the current password has
not yet expired, the user can still log in using that password. This parameter is valid for AAA
servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP
servers. The adaptive security appliance ignores this command if RADIUS or LDAP
authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, it
enables the notification. If you check this check box, you must also specify the number of days.
–
Notify...days prior to expiration—Specifies the number of days before the current password
expires to notify the user of the pending expiration. The range is 1 through 180 days.
Modes
The following table shows the modes in which this feature is available:
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec
The Add or Edit Tunnel Group dialog box for IPsec for Site-to-Site access, IPsec dialog box, lets you
configure or edit IPsec Site-to-Site-specific tunnel group parameters.
Fields
• Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is
display-only.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——
To Next Page
Loading...
Need help?
General
