64-98
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 64 General VPN Setup
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Note You can append both the realm and the group to a username, in which case the adaptive security
appliance uses parameters configured for the group and for the realm for AAA functions. The
format for this option is username[@realm]]<#or!>group], for example,
JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or !
character for the group delimiter because the adaptive security appliance cannot interpret the @
as a group delimiter if it is also present as the realm delimiter.
A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize
the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are
in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.
The adaptive security appliance does not include support for the user@grouppolicy, as the VPN
3000 Concentrator did. Only the L2TP/IPsec client supports the tunnel switching via
user@tunnelgroup.
• Strip the group from the username before passing it on to the AAA server—Enables or disables
stripping the group name from the username before passing the username on to the AAA server.
Check Strip Group to remove the group name from the username during authentication. This option
is meaningful only when you have also checked the Enable Group Lookup box. When you append
a group name to a username using a delimiter, and enable Group Lookup, the adaptive security
appliance interprets all characters to the left of the delimiter as the username, and those to the right
as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the
default for Group Lookup. You append the group to the username in the format
username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup,
JaneDoe#VPNGroup, and JaneDoe!VPNGroup.
• Password Management—Lets you configure parameters relevant to overriding an account-disabled
indication from a AAA server and to notifying users about password expiration.
–
Override account-disabled indication from AAA server—Overrides an account-disabled
indication from a AAA server.
Note Allowing override account-disabled is a potential security risk.
–
Enable notification upon password expiration to allow user to change password—Checking this
check box makes the following two parameters available. You can select either to notify the user
at login a specific number of days before the password expires or to notify the user only on the
day that the password expires. The default is to notify the user 14 days prior to password
expiration and every day thereafter until the user changes the password. The range is 1 through
180 days.
Note This does not change the number of days before the password expires, but rather, it enables
the notification. If you select this option, you must also specify the number of days.
In either case, and, if the password expires without being changed, the adaptive security
appliance offers the user the opportunity to change the password. If the current password has
not yet expired, the user can still log in using that password.
This parameter is valid for AAA servers that support such notification; that is, RADIUS,
RADIUS with an NT server, and LDAP servers. The adaptive security appliance ignores this
command if RADIUS or LDAP authentication has not been configured.
To Next Page
Loading...
