Filter
Top Products
30-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Configuring Connection Profiles (ASA, PIX 7.0+)
Authentication Server Group The name of the authentication server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
If you want to use different authentication server groups based on the
interface to which the client connects, configure the server groups in
the Interface-Specific Authentication Server Groups table at the bottom
of this tab (described below).
Use LOCAL if Server Group
Fails
Whether to fall back to the local database for authentication if the
selected authentication server group fails.
Authorization Server Group The name of the authorization server group (LOCAL if the tunnel group
is configured on the local device). Enter the name of a AAA server
group object or click Select to select it from a list or to create a new
object.
Users must exist in the
authorization database to
connect
Whether to require that the username of the client must exist in the
authorization database to allow a successful connection. If the
username does not exist in the authorization database, then the
connection is denied.
Accounting Server Group The name of the accounting server group. Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
Strip Realm from Username
Strip Group from Username
Whether to remove the realm or group name from the username before
passing the username on to the AAA server. A realm is an
administrative domain. Enabling these options allows the
authentication to be based on the username alone.
You can enable any combination of these options. However, you must
select both check boxes if your server cannot parse delimiters.
Override Account-Disabled
Indication from AAA Server
Whether to override the “account-disabled” indicator from a AAA
server. This configuration is valid for servers, such as RADIUS with
NT LDAP, and Kerberos, that return an “account-disabled” indication.
If you are using an LDAP directory server for authentication, password
management is supported with the Sun Microsystems JAVA System
Directory Server (formerly named the Sun ONE Directory Server) and
the Microsoft Active Directory.
• Sun—The DN configured on the security appliance to access a Sun
directory server must be able to access the default password policy
on that server. We recommend using the directory administrator, or
a user with directory administrator privileges, as the DN.
Alternatively, you can place an ACI on the default password policy.
• Microsoft—You must configure LDAP over SSL to enable
password management with Microsoft Active Directory.
Table 30-4 Connection Profile AAA Tab (Continued)
Element Description