1-3
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Connection Profiles, Group Policies, and Users
  Connection Profiles
General Connection Profile Connection Parameters
General parameters are common to all VPN connections. The general parameters include the following:
• Connection profile name—You specify a connection-profile name when you add or edit a 
connection profile. The following considerations apply:
–
For clients that use preshared keys to authenticate, the connection profile name is the same as 
the group name that a client passes to the ASA.
–
Clients that use certificates to authenticate pass this name as part of the certificate, and the ASA 
extracts the name from the certificate.
• Connection type—Connection types include IKEv1 remote-access, IPsec Lan-to-LAN, and 
Anyconnect (SSL/IKEv2). A connection profile can have only one connection type.
• Authentication, Authorization, and Accounting servers—These parameters identify the server 
groups or lists that the ASA uses for the following purposes: 
–
Authenticating users
–
Obtaining information about services users are authorized to access
–
Storing accounting records
A server group can consist of one or more servers.
• Default group policy for the connection—A group policy is a set of user-oriented attributes. The 
default group policy is the group policy whose attributes the ASA uses as defaults when 
authenticating or authorizing a tunnel user.
• Client address assignment method—This method includes values for one or more DHCP servers or 
address pools that the ASA assigns to clients.
• Override account disabled—This parameter lets you override the “account-disabled” indicator 
received from a AAA server.
• Password management—This parameter lets you warn a user that the current password is due to 
expire in a specified number of days (the default is 14 days), then offer the user the opportunity to 
change the password.
• Strip group and strip realm—These parameters direct the way the ASA processes the usernames it 
receives. They apply only to usernames received in the form user@realm.
A realm is an administrative domain appended to a username with the @ delimiter (user@abc). If 
you strip the realm, the ASA uses the username and the group (if present) for authentication. If you 
strip the group, the ASA uses the username and the realm (if present) for authentication. 
Enter the strip-realm command to remove the realm qualifier, and enter the strip-group command to 
remove the group qualilfier from the username during authentication. If you remove both qualifiers, 
authentication is based on the username alone. Otherwise, authentication is based on the full 
username@realm or username<delimiter> group string. You must specify strip-realm if your server 
is unable to parse delimiters. 
In addition, for L2TP/IPsec clients only, when you specify the strip-group command the ASA selects 
the connection profile (tunnel group) for user connections by obtaining the group name from the 
username presented by the VPN client.
• Authorization required—This parameter lets you require authorization before a user can connect, or 
turn off that requirement.
• Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use 
when performing authorization.