Authentication Options - Cisco FirePOWER ASA 5500 series Configuration Manual

Guidelines for Configuring the Easy VPN Server

Authentication Options

The ASA 5505 supports the following authentication mechanisms, which it obtains from the group
policy stored on the Easy VPN Server. The following list identifies the authentication options supported
by the Easy VPN hardware client, however, you must configure them on the Easy VPN server:
•
•
Caution
Caution
•
•
Cisco Security Appliance Command Line Configuration Guide
34-12
Secure unit authentication (SUA, also called Interactive unit authentication)
Ignores the vpnclient username Xauth command (described in
Authentication" section on page
entering a password. By default, SUA is disabled. You can use the secure-unit-authentication
enable command in group-policy configuration mode to enable SUA. See
Authentication, page 30-44.
Individual user authentication
Requires users behind the ASA 5505 to authenticate before granting them access to the enterprise
VPN network. By default, IUA is disabled.
Do not use IUA if the client might have a NAT device.
You can use the user-authentication enable command in group-policy configuration mode to
enable IUA. See Configuring User Authentication, page
Do not configure IUA on a Cisco ASA 5505 configured as an Easy VPN server if a NAT device
is operating between the server and the Easy VPN hardware client.
Use the user-authentication-idle-timeout command to set or remove the idle timeout period after
which the Easy VPN Server terminates the client's access. See
30-45.
Authentication by HTTP redirection
The Cisco Easy VPN server intercepts HTTP traffic and redirects the user to a login page if one of
the following is true:
SUA or the username and password are not configured on the Easy VPN hardware client.
–
IAU is enabled.
–
HTTP redirection is automatic and does not require configuration on the Easy VPN Server.
Preshared keys, digital certificates, tokens and no authentication
The ASA 5505 supports preshared keys, token-based (e.g., SDI one-time passwords), and "no user
authentication" for user authentication. NOTE: The Cisco Easy VPN server can use the digital
certificate as part of user authorization. See
instructions.
Chapter 34
34-4) and requires the user to authenticate the ASA 5505 by
30-44.
Chapter 27, "Configuring IPSec and ISAKMP"
Configuring Easy VPN Services on the ASA 5505
"Configuring Automatic Xauth
Configuring Secure Unit
Configuring an Idle Timeout, page
for
OL-10088-01