33-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 33 Configuring Policy Objects for Remote Access VPNs
ASA Group Policies Dialog Box
ASA Group Policies Hardware Client Attributes
Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware Client settings for the
ASA group policy in an Easy VPN or remote access IPSec VPN.
Navigation Path
Select Easy VPN/IPSec VPN > Hardware Client Attributes from the table of contents in the ASA
Group Policies Dialog Box, page 33-1.
Field Reference
Custom Firewall The attributes that define the required or optional firewall if you select
custom firewall as the firewall type:
• Vendor ID—The number that identifies the vendor of the custom
firewall. Values are 1-255.
• Product ID—The number that identifies the product or model of
the custom firewall. Values are 1-32 or 255. Multiple ranges are
allowed, for example, 4-12, 24-32. Use 255 for all supported
products.
• Description—An optional description of the custom firewall, for
example, the name of the vendor and product.
Table 33-3 ASA Group Policies Client Firewall Attributes (Continued)
Element Description
Table 33-4 ASA Group Policies Hardware Client Attributes
Element Description
Require Interactive Client
Authentication
Whether to enable secure unit authentication, which provides
additional security by requiring VPN hardware clients to authenticate
with a username and password each time that the client initiates a
tunnel. The hardware client does not have a saved username and
password.
Note Secure unit authentication requires that you have an
authentication server group configured for the tunnel group the
hardware clients use. If you require secure unit authentication
on the primary security appliance, be sure to configure it on any
backup servers as well.
Require Individual User
Authentication
Whether to require that individual users behind a hardware client
authenticate to gain access to the network across the tunnel. Individual
users authenticate according to the order of authentication servers that
you configure.
If you do not select this option, the security appliance allows
inheritance of a value for user authentication from another group
policy.
Enable Cisco IP Phone
Bypass
Whether to allow IP phones behind hardware clients to connect without
undergoing a user authentication processes. Secure unit authentication
remains in effect for other users.