1-3
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Connection Profiles
General Connection Profile Connection Parameters
General parameters are common to all VPN connections. The general parameters include the following:
• Connection profile name—You specify a connection-profile name when you add or edit a
connection profile. The following considerations apply:
–
For clients that use preshared keys to authenticate, the connection profile name is the same as
the group name that a client passes to the ASA.
–
Clients that use certificates to authenticate pass this name as part of the certificate, and the ASA
extracts the name from the certificate.
• Connection type—Connection types include IKEv1 remote-access, IPsec Lan-to-LAN, and
Anyconnect (SSL/IKEv2). A connection profile can have only one connection type.
• Authentication, Authorization, and Accounting servers—These parameters identify the server
groups or lists that the ASA uses for the following purposes:
–
Authenticating users
–
Obtaining information about services users are authorized to access
–
Storing accounting records
A server group can consist of one or more servers.
• Default group policy for the connection—A group policy is a set of user-oriented attributes. The
default group policy is the group policy whose attributes the ASA uses as defaults when
authenticating or authorizing a tunnel user.
• Client address assignment method—This method includes values for one or more DHCP servers or
address pools that the ASA assigns to clients.
• Override account disabled—This parameter lets you override the “account-disabled” indicator
received from a AAA server.
• Password management—This parameter lets you warn a user that the current password is due to
expire in a specified number of days (the default is 14 days), then offer the user the opportunity to
change the password.
• Strip group and strip realm—These parameters direct the way the ASA processes the usernames it
receives. They apply only to usernames received in the form user@realm.
A realm is an administrative domain appended to a username with the @ delimiter (user@abc). If
you strip the realm, the ASA uses the username and the group (if present) for authentication. If you
strip the group, the ASA uses the username and the realm (if present) for authentication.
Enter the strip-realm command to remove the realm qualifier, and enter the strip-group command to
remove the group qualilfier from the username during authentication. If you remove both qualifiers,
authentication is based on the username alone. Otherwise, authentication is based on the full
username@realm or username<delimiter> group string. You must specify strip-realm if your server
is unable to parse delimiters.
In addition, for L2TP/IPsec clients only, when you specify the strip-group command the ASA selects
the connection profile (tunnel group) for user connections by obtaining the group name from the
username presented by the VPN client.
• Authorization required—This parameter lets you require authorization before a user can connect, or
turn off that requirement.
• Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use
when performing authorization.
To Next Page
Loading...
Need help?
General
