Cisco FirePOWER ASA 5500 series Configuration Manual page 562
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring Tunnel Groups
Specify the name of the NAC authentication server group, if you are using Network Admission Control,
Step 7
to identify the group of authentication servers to be used for Network Admission Control posture
validation. Configure at least one Access Control Server to support NAC. Use the aaa-server command
to name the ACS group. Then use the nac-authentication-server-group command, using the same name
for the server group.
The following example identifies acs-group1 as the authentication server group to be used for NAC
posture validation:
hostname(config-group-policy)# nac-authentication-server-group acs-group1
hostname(config-group-policy)
The following example inherits the authentication server group from the default remote access group.
hostname(config-group-policy)# no nac-authentication-server-group
hostname(config-group-policy)
Note
Specify whether to strip the group or the realm from the username before passing it on to the AAA server.
Step 8
The default is not to strip either the group name or the realm.
hostname(config-tunnel-general)# strip-group
hostname(config-tunnel-general)# strip-realm
hostname(config-tunnel-general)#
A realm is an administrative domain. If you strip the realm, the security appliance uses the username and
the group (if present) authentication. If you strip the group, the security appliance uses the username and
the realm (if present) for authentication.Enter the strip-realm command to remove the realm qualifier,
and use the strip-group command to remove the group qualilfier from the username during
authentication. If you remove both qualifiers, authentication is based on the username alone. Otherwise,
authentication is based on the full username@realm or username<delimiter> group string. You must
specify strip-realm if your server is unable to parse delimiters.
Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password
Step 9
management.
Note
If you are using an LDAP directory server for authentication, password management is supported with
the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server)
and the Microsoft Active Directory.
Sun—The DN configured on the security appliance to access a Sun directory server must be able to
•
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
•
Active Directory.
See the
This feature, which is enabled by default, warns a user when the current password is about to expire. The
default is to begin warning the user 14 days before expiration:
hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
Cisco Security Appliance Command Line Configuration Guide
30-8
NAC requires a Cisco Trust Agent on the remote host.
"Setting the LDAP Server Type" section on page 13-7
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
for more information.
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
