1-69
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Group Policies
Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting
services.
This feature does not work as intended if you enable interactive hardware client authentication.
Caution There might be security risks to your network in allowing any unauthenticated traffic to traverse the
tunnel.
The following example shows how to set LEAP Bypass for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# leap-bypass enable
Enabling Network Extension Mode
Network extension mode lets hardware clients present a single, routable network to the remote private
network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the
hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA
have direct access to devices on the private network behind the hardware client over the tunnel, and only
over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up,
either side can initiate data exchange.
Enable network extension mode for hardware clients by entering the nem command with the enable
keyword in group-policy configuration mode:
hostname(config-group-policy)# nem {enable | disable}
hostname(config-group-policy)# no nem
To disable NEM, enter the disable keyword. To remove the NEM attribute from the running
configuration, enter the no form of this command. This option allows inheritance of a value from another
group policy.
The following example shows how to set NEM for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# nem enable
Configuring Backup Server Attributes
Configure backup servers if you plan on using them. IPsec backup servers let a VPN client connect to
the central site when the primary ASA is unavailable.When you configure backup servers, the ASA
pushes the server list to the client as the IPsec tunnel is established. Backup servers do not exist until
you configure them, either on the client or on the primary ASA.
Configure backup servers either on the client or on the primary ASA. If you configure backup servers
on the ASA, it pushes the backup server policy to the clients in the group, replacing the backup server
list on the client if one is configured.
Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from
that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS
and WINS information from the hardware client via DHCP, and the connection to the primary server is
To Next Page
Loading...
Need help?
General
