30-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Configuring Connection Profiles (ASA, PIX 7.0+)
Navigation Path
Open the AAA or Secondary AAA tabs in the Connection Profiles dialog box (see AAA Tab (Connection
Profiles), page 30-11 or Secondary AAA Tab (Connection Profiles), page 30-14), then click Add Row
below the Interface-Specific Address Pools table, or select a row in the table and click Edit Row.
Related Topics
• Understanding Interface Role Objects, page 6-67
• Understanding AAA Server and Server Group Objects, page 6-24
Field Reference
Secondary AAA Tab (Connection Profiles)
Use the Secondary AAA tab to configure the secondary AAA authentication parameters for a remote
access SSL VPN connection profile policy for use with ASA 8.2+ devices, or a remote access IKEv2
IPSec VPN connection profile policy for use with an ASA 8.4(1)+ device. These settings do not apply
to remote access IKEv1 IPSec VPNs or Easy VPN topologies or to other device types.
Navigation Path
Remote Access VPNs only—From the Connection Profiles page (see Connection Profiles Page,
page 30-8), click the Add Row (+) button, or select a profile and click the Edit Row (pencil) button, to
open the Connection Profiles dialog box. Click the Secondary AAA tab.
Related Topics
• Configuring Connection Profiles (ASA, PIX 7.0+), page 30-6
Table 30-5 Add/Edit (Secondary) Interface Specific Authentication Server Groups
Element Description
Interface The name of the interface or interface role (that identifies the
interfaces) for which you are configuring an authentication server
group. Click Select to select an interface or interface role or to create a
new interface role.
Server Group The name of the authentication server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
When you are configuring secondary AAA, this group is used
specifically for the second credentials. You can specify different server
groups for primary and secondary credentials.
Use LOCAL if Server Group
Fails
Whether to fall back to the local database for authentication if the
selected authentication server group fails.
Use Primary Username
(Secondary authentication
only; remote access SSL or
IKEv2 IPSec VPN on ASA
8.2+ only.)
Whether to use the same username for the secondary credentials that
was used for the primary credentials. If you select this option, after
users authenticate with their primary credentials, they are prompted for
the secondary password only. If you do not select this option, the
secondary prompt requires both a username and password.