1-27
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
The following example, entered in global configuration mode, creates an IPsec remote access tunnel
group named remotegrp, enables getting the username from a certificate, and specifies that the name for
an authentication or authorization query for an SSL VPN client must be derived from a digital certificate:
hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp general-attributes
hostname(config-tunnel-general)# username-from-certificate CN OU
hostname(config)# tunnel-group remotegrp webvpn-attributes
hostname(config-tunnel-webvpn)# pre-fill-username ssl-client
hostname(config-tunnel-webvpn)#
Step 9 (Optional) To specify whether to override the group policy or username attributes configuration for
downloading an AnyConnect or SSL VPN client, use the override-svc-download command. This
feature is disabled by default.
The security appliance allows clientless or AnyConnect client connections for remote users based on
whether clientless and/or SSL VPN is enabled in the group policy or username attributes with the
vpn-tunnel-protocol command. The anyconnect ask command further modifies the client user
experience by prompting the user to download the client or return to the WebVPN home page.
However, you might want clientless users logging in under specific tunnel groups to not experience
delays waiting for the download prompt to expire before being presented with the clientless SSL VPN
home page. You can prevent delays for these users at the connection profile level with the
override-svc-download command. This command causes users logging through a connection profile to
be immediately presented with the clientless SSL VPN home page regardless of the
vpn-tunnel-protocol or anyconnect ask command settings.
In the following example, the you enter tunnel-group webvpn attributes configuration mode for the
connection profile engineering and enable the connection profile to override the group policy and
username attribute settings for client download prompts:
hostname(config)# tunnel-group engineering webvpn-attributes
hostname(config-tunnel-webvpn)# override-svc-download
Step 10 (Optional) To enable the display of a RADIUS reject message on the login screen when authentication
is rejected, use the radius-eject-message command.
The following example enables the display of a RADIUS rejection message for the connection profile
named engineering:
hostname(config)# tunnel-group engineering webvpn-attributes
hostname(config-tunnel-webvpn)# radius-reject-message
Customizing Login Windows for Users of Clientless SSL VPN Sessions
You can set up different login windows for different groups by using a combination of customization
profiles and connection profiles. For example, assuming that you had created a customization profile
called salesgui, you can create a connection profile for clientless SSL VPN sessions called sales that uses
that customization profile, as the following example shows:
Step 1 In webvpn mode, define a customization for clientless SSL VPN access, in this case named salesgui and
change the default logo to mycompanylogo.gif. You must have previously loaded mycompanylogo.gif
onto the flash memory of the ASA and saved the configuration. See “Chapter 77, “Configuring
Clientless SSL VPN”” for details.
hostname# webvpn
To Next Page
Loading...
