30-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 30 Configuring Tunnel Groups, Group Policies, and Users
Configuring Tunnel Groups
If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration
to begin warning the user about the pending expiration:
hostname(config-tunnel-general)# password-management [password-expire in days n]
hostname(config-tunnel-general)#
Note The password-management command, entered in tunnel-group general-attributes
configuration mode replaces the deprecated radius-with-expiry command that was formerly
entered in tunnel-group ipsec-attributes mode.
When you configure this command, the security appliance notifies the remote user at login that the user’s
current password is about to expire or has expired. The security appliance then offers the user the
opportunity to change the password. If the current password has not yet expired, the user can still log in
using that password. The security appliance ignores this command if RADIUS or LDAP authentication
has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number
of days ahead of expiration that the security appliance starts warning the user that the password is about
to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
Specifying this command with the number of days set to 0 disables this command. The security appliance
does not notify the user of the pending expiration, but the user can change the password after it expires.
See Configuring Microsoft Active Directory Settings for Password Management, page 30-24 for more
information.
Note The radius-with-expiry command, formerly configured as part of tunnel-group ipsec-ra
configuration, is deprecated. The password-management command, entered in tunnel-group
general-attributes mode, replaces it.
Step 10 Optionally, configure the ability to override an account-disabled indicator from a AAA server, by
entering the override-account-disable command:
hostname(config-tunnel-general)# override-account-disable
hostname(config-tunnel-general)#
Note Allowing override-account-disable is a potential security risk.
Step 11 Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate.
This attribute specifies what part of the subject DN field to use as the username for authorization:
hostname(config-tunnel-ipsec)# authorization-dn-attributes {primary-attribute
[secondary-attribute] | use-entire-name}
For example, the following command specifies the use of the CN attribute as the username for
authorization:
hostname(config-tunnel-ipsec)# hostname(config-ipsec)# authorization-dn-attributes CN
hostname(config-tunnel-ipsec)#
To Next Page
Loading...
