Cisco FirePOWER ASA 5500 series Configuration Manual page 615
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
hostname(config-group-webvpn)#
You configure the customization itself by entering the customization command in WebVPN mode.
The following example shows a command sequence that first establishes a WebVPN customization
named 123 that defines a password prompt. The example then defines a WebVPN group policy named
testpolicy and uses the customization command to specifies the use of the WebVPN customization
named 123:
hostname(config)# webvpn
hostname(config-webvpn)# customization 123
hostname(config-webvpn-custom)# password-prompt Enter password
hostname(config-webvpn)# exit
hostname(config)# group-policy testpolicy nopassword
hostname(config)# group-policy testpolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# customization value 123
hostname(config-group-webvpn)#
Specifying a "Deny" Message
You can specify the message delivered to a remote user who logs into WebVPN successfully, but has no
VPN privileges by entering the deny-message command in group-policy webvpn configuration mode:
hostname(config-group-webvpn)# deny-message value "message"
hostname(config-group-webvpn)# no deny-message value "message"
hostname(config-group-webvpn)# deny-message none
The no deny-message value command removes the message string, so that the remote user does not
receive a message.
The no deny-message none command removes the attribute from the tunnel group policy configuration.
The policy inherits the attribute value.
The message can be up to 491 alphanumeric characters long, including special characters, spaces, and
punctuation, but not counting the enclosing quotation marks. The text appears on the remote user's
browser upon login. When typing the string in the deny-message value command, continue typing even
if the command wraps.
The default deny message is: "Login was successful, but because certain criteria have not been met or
due to some specific group policy, you do not have permission to use any of the VPN features. Contact
your IT administrator for more information."
The first command in the following example creates an internal group policy named group2. The
subsequent commands modify the attributes, including the webvpn deny message associated with that
policy.
hostname(config)# group-policy group2 internal
hostname(config)# group-policy group2 attributes
hostname(config-group)# webvpn
hostname(config-group-webvpn)# deny-message value "Your login credentials are OK. However,
you have not been granted rights to use the VPN features. Contact your administrator for
more information."
hostname(config-group-webvpn)
Configuring Group-Policy WebVPN Filter Attributes
Specify whether to filter Java, ActiveX, images, scripts, and cookies for WebVPN sessions for this group
policy by using the html-content-filter command in webvpn mode. HTML filtering is disabled by
default.
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
Group Policies
30-61
Advertisement
Table of Contents
Troubleshooting
