Cisco PIX 500 Series Configuration Manual page 637

Chapter 30 Configuring Connection Profiles, Group Policies, and Users
hostname(config-tunnel-general)# accounting-server-group comptroller
hostname(config-tunnel-general)#
Step 7 Optionally, specify the name of the default group policy. The default value is DfltGrpPolicy:
hostname(config-tunnel-general)# default-group-policy policyname
hostname(config-tunnel-general)#
The following example sets MyDfltGrpPolicy as the name of the default group policy:
hostname(config-tunnel-general)# default-group-policy MyDfltGrpPolicy
hostname(config-tunnel-general)#
Optionally, specify the name or IP address of the DHCP server (up to 10 servers), and the names of the
Step 8
DHCP address pools (up to 6 pools). Separate the list items with spaces. The defaults are no DHCP
server and no address pool.
hostname(config-tunnel-general)# dhcp-server server1 [ ...server10 ]
hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1
[...address_pool6]
hostname(config-tunnel-general)#
Note
You configure address pools with the ip local pool command in global configuration mode. See
Chapter 31, "Configuring IP Addresses for VPNs"
Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password
Step 9
management.
If you are using an LDAP directory server for authentication, password management is supported with
Note
the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server)
and the Microsoft Active Directory.
Sun—The DN configured on the security appliance to access a Sun directory server must be able to
•
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
•
Active Directory.
See the
This feature, which is enabled by default, warns a user when the current password is about to expire. The
default is to begin warning the user 14 days before expiration:
hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration
to begin warning the user about the pending expiration:
hostname(config-tunnel-general)# password-management [password-expire in days n ]
hostname(config-tunnel-general)#
OL-12172-03
The interface name must be enclosed in parentheses.
"Setting the LDAP Server Type" section on page 13-13
for information about configuring address pools.
for more information.
Cisco Security Appliance Command Line Configuration Guide
Configuring Connection Profiles
30-21