Authenticating With Digital Certificates; Enabling Cookies On Browsers For Clientless Ssl Vpn; Managing Passwords - Cisco PIX 500 Series Configuration Manual

Getting Started
•
Negotiate SSLv3
Negotiate SSLv3/TLSv1
Negotiate TLSv1
TLSv1Only
SSLv3Only

Authenticating with Digital Certificates

SSL uses digital certificates for authentication. The security appliance creates a self-signed SSL server
certificate when it boots; or you can install in the security appliance an SSL certificate that has been
issued in a PKI context. For HTTPS, this certificate must then be installed on the client. You need to
install the certificate from a given security appliance only once.
Restrictions for authenticating users with digital certificates include the following:
•
•
For more information on authentication and authorization using digital certificates, see
Certificates and User Login
chapter.

Enabling Cookies on Browsers for Clientless SSL VPN

Browser cookies are required for the proper operation of clientless SSL VPN. When cookies are disabled
on the web browser, the links from the web portal home page open a new window prompting the user to
log in once more.

Managing Passwords

Optionally, you can configure the security appliance to warn end users when their passwords are about
to expire. To do this, you specify the password-management command in tunnel-group
general-attributes mode or enable the feature using ASDM at Configuration > Remote Access VPN >
Clientless SSL VPN Access > Connection Profiles > Add or Edit > Advanced > General > Password
Management.
The security appliance supports password management for the RADIUS and LDAP protocols. It
supports the "password-expire-in-days" option for LDAP only.
You can configure password management for IPSec remote access and SSL VPN tunnel-groups.
Cisco Security Appliance Command Line Configuration Guide
37-6
TCP Port Forwarding requires Sun Microsystems Java Runtime Environment (JRE) version 1.4.x
and 1.5.x. Port forwarding does not work when a user of clientless SSL VPN connects with some
SSL versions, as follows:
Application Access does not work for users of clientless SSL VPN who authenticate using digital
certificates. JRE does not have the ability to access the web browser keystore. Therefore JAVA
cannot use a certificate that the browser uses to authenticate a user, so it cannot start.
E-mail proxy supports certificate authentication with Netscape 7.x e-mail clients only. Other e-mail
clients such as MS Outlook, MS Outlook Express, and Eudora lack the ability to access the
certificate store.
Credentials" in the
Java downloads
Java downloads
Java does NOT download
Java does NOT download
Java does NOT download
"Configuring AAA Servers and the Local
Chapter 37 Configuring Clientless SSL VPN
"Using
Database"
OL-12172-03