Cisco ASA 5505 Configuration Manual page 1407
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Chapter 64
General VPN Setup
•
•
Note
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Configuring Internal Group Policy IPsec Client Attributes
Use this dialog box to specify whether to strip the realm and group from the username before passing
them to the AAA server, and to specify password management options.
Fields
•
OL-20339-01
Strip the group —Not available or Clientless SSL VPN.
Password Management—Lets you configure parameters relevant to overriding an account-disabled
indication from a AAA server and to notifying users about password expiration.
Override account-disabled indication from AAA server—Overrides an account-disabled
–
indication from a AAA server.
Allowing override account-disabled is a potential security risk.
–
Enable notification upon password expiration to allow user to change password—Checking this
check box makes the following two parameters available. If you do not also check the Enable
notification prior to expiration check box, the user receives notification only after the password
has expired.
Enable notification prior to expiration—When you check this option, the adaptive security
–
appliance notifies the remote user at login that the current password is about to expire or has
expired, then offers the user the opportunity to change the password. If the current password has
not yet expired, the user can still log in using that password. This parameter is valid for AAA
servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP
servers. The adaptive security appliance ignores this command if RADIUS or LDAP
authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, it
enables the notification. If you check this check box, you must also specify the number of days.
Notify...days prior to expiration—Specifies the number of days before the current password
–
expires to notify the user of the pending expiration. The range is 1 through 180 days.
Security Context
Transparent Single
—
•
Strip the realm from username before passing it on to the AAA server—Enables or disables stripping
the realm (administrative domain) from the username before passing the username on to the AAA
server. Check the Strip Realm check box to remove the realm qualifier of the username during
authentication. You can append the realm name to the username for AAA: authorization,
authentication and accounting. The only valid delimiter for a realm is the @ character. The format
is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box,
authentication is based on the username alone. Otherwise, authentication is based on the full
username@realm string. You must check this box if your server is unable to parse delimiters.
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Multiple
Context
System
—
—
Cisco ASA 5500 Series Configuration Guide using ASDM
64-97
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
