Cisco ASA Series Cli Configuration Manual page 1852
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Microsoft Kerberos Constrained Delegation Solution
Viewing the Plug-ins Installed on the Security Appliance
Detailed Steps
Command
Step 1
show import webvpn plug
Example:
hostname# show import webvpn plug
ssh
rdp
vnc
ica
Step 2
show import webvpn plug detail
Example:
hostname show import webvpn plug
post GXN2BIGGOAOkBMibDQsMu2GWZ3Q= Tues, 29 Apr 2008
19:57:03 GMT
rdp fHeyReIOUwDCgAL9HdTs PnjdBoo= Tues, 15 Sep 2009
23:23:56 GMT
rdp2 shw8c22T2SsILLk6zyCd6H6VOz8= Wed, 11 Feb 2009
21:17:54 GMT
Microsoft Kerberos Constrained Delegation Solution
Many organizations want to authenticate their Clientless VPN users and extend their authentication
credentials seamlessly to web-based resources using authentication methods beyond what the ASA SSO
feature can offer today. With the growing demand to authenticate remote access users with Smart Cards
and One-time Passwords (OTP), the SSO feature falls short in meeting that demand, because it only
forwards conventional user credentials, such as static username and password, to clientless web-based
resources when authentication is required.
For example, neither certificate- or OTP-based authentication methods encompass a conventional
username and password necessary for the ASA to seamlessly perform SSO access to web-based
resources. When authenticating with a certificate, a username and password is not required for the ASA
to extend to web-based resources, making it an unsupported authentication method for SSO. On the other
hand, OTP does include a static username; however, the password is dynamic and will subsequently
change throughout the VPN session. In general, Web-based resources are configured to accept static
usernames and passwords, thus also making OTP an unsupported authentication method for SSO.
Microsoft's Kerberos Constrained Delegation (KCD), a new feature introduced in software release 8.4
of the ASA, provides access to Kerberos-protected Web applications in the private network. With this
benefit, you can seamlessly extend certificate- and OTP-based authentication methods to web
applications. Thus, with SSO and KCD working together although independently, many organizations
can now authenticate their clientless VPN users and extend their authentication credentials seamlessly
to web applications using all authentication methods supported by the ASA.
Cisco ASA Series CLI Configuration Guide
1-44
Chapter 1
Configuring Clientless SSL VPN
Purpose
Lists the Java-based client applications available to
users of clientless SSL VPN.
Includes hash and date of the plug-in.
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
