User Management - Cisco VPN 3000 User Manual

User Management

Groups and users are core concepts in managing the security of VPNs and in configuring the VPN 3000
Concentrator. Groups and users have attributes, configured via parameters, that determine their access
to and use of the VPN. Users are members of groups, and groups are members of the base group. This
section of the VPN 3000 Concentrator Series Manager lets you configure those parameters.
Groups simplify system management. And to streamline the configuration task, the VPN Concentrator
provides a base group that you configure first. The base-group parameters are those that are most likely
to be common across all groups and users. As you configure a group, you can simply specify that it
"inherit" parameters from the base group; and a user can also "inherit" parameters from a group. Thus
you can quickly configure authentication for large numbers of users.
Of course, if you decide to grant identical rights to all VPN users, then you don't need to configure
specific groups. But VPNs are seldom managed that way. For example, you might allow a Finance group
to access one part of a private network, a Customer Support group to access another part, and an MIS
group to access other parts. Further, you might allow specific users within MIS to access systems that
other MIS users cannot access.
You can configure detailed parameters for groups and users on the VPN Concentrator internal
authentication server. External RADIUS authentication servers also can return group and user
parameters that match those on the VPN Concentrator; other authentication servers do not. The Cisco
software CD-ROM includes a 30-day evaluation copy of Funk Software's Steel-Belted RADIUS
authentication server and instructions for using it with the VPN Concentrator.
You can configure a maximum of 100 groups and users (combined) in the VPN Concentrator internal
server, which is adequate for a small user base. For larger numbers of users, we recommend using the
internal server to configure groups (and perhaps a few users); and using a RADIUS server to authenticate
the users.
The VPN Concentrator checks authentication parameters in this order:
• First: User parameters. If any parameters are missing, the system looks at:
• Second: Group parameters. If any parameters are missing, the system looks at:
• (Third, for IPSec users only: IPSec tunnel-group parameters. These are the parameters of the IPSec
group used to create the tunnel. The IPSec group is configured on the internal server.) If any
parameters are missing, the system looks at:
• Last: Base-group parameters.
If you use a non-RADIUS server, only the IPSec tunnel-group or base-group parameters apply to users.
VPN 3000 Concentrator Series User Guide
C H A P T E R
12
12-1