Cisco ASA 5505 Configuration Manual page 1404

Mapping Certificates to IPsec or SSL VPN Connection Profiles
•
Note
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec
The Add or Edit Tunnel Group dialog box for IPsec for Site-to-Site access, IPsec dialog box, lets you
configure or edit IPsec Site-to-Site-specific tunnel group parameters.
Fields
•
Cisco ASA 5500 Series Configuration Guide using ASDM
64-94
is meaningful only when you have also checked the Enable Group Lookup box. When you append
a group name to a username using a delimiter, and enable Group Lookup, the adaptive security
appliance interprets all characters to the left of the delimiter as the username, and those to the right
as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the
default for Group Lookup. You append the group to the username in the format
username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup,
JaneDoe#VPNGroup, and JaneDoe!VPNGroup.
Password Management—Lets you configure parameters relevant to overriding an account-disabled
indication from a AAA server and to notifying users about password expiration.
– Override account-disabled indication from AAA server—Overrides an account-disabled
indication from a AAA server.
Allowing override account-disabled is a potential security risk.
– Enable notification upon password expiration to allow user to change password—Checking this
check box makes the following two parameters available. If you do not also check the Enable
notification prior to expiration check box, the user receives notification only after the password
has expired.
Enable notification prior to expiration—When you check this option, the adaptive security
–
appliance notifies the remote user at login that the current password is about to expire or has
expired, then offers the user the opportunity to change the password. If the current password has
not yet expired, the user can still log in using that password. This parameter is valid for AAA
servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP
servers. The adaptive security appliance ignores this command if RADIUS or LDAP
authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, it
enables the notification. If you check this check box, you must also specify the number of days.
Notify...days prior to expiration—Specifies the number of days before the current password
–
expires to notify the user of the pending expiration. The range is 1 through 180 days.
Security Context
Transparent Single
—
•
Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is
display-only.
Multiple
Context System
— —
Chapter 64 General VPN Setup
OL-20339-01