Configuring Connection Profiles, Group Policies, and Users

This chapter describes how to configure VPN connection profiles (formerly called “tunnel groups”), group policies, and users. This chapter includes the following sections.

In summary, you first configure connection profiles to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure these entities.

Overview of Connection Profiles, Group Policies, and Users

Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the ASA. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. A connection profile identifies the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.

note.gif

Noteblank.gif You configure connection profiles using tunnel-group commands. In this chapter, the terms “connection profile” and “tunnel group” are often used interchangeably.


Connection profiles and group policies simplify system management. To streamline the configuration task, the ASA provides a default LAN-to-LAN connection profile, a default remote access connection profile, a default connection profile for SSL/IKEv2 VPN, and a default group policy (DfltGrpPolicy). The default connection profiles and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they “inherit” parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users.

If you decide to grant identical rights to all VPN users, then you do not need to configure specific connection profiles or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Connection profiles and group policies provide the flexibility to do so securely.

note.gif

Noteblank.gif The ASA also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and connection profiles. For more information about using object groups, see Chapter 13, “Configuring Objects.”


The security appliance can apply attribute values from a variety of sources. It applies them according to the following hierarchy:

1.blank.gif Dynamic Access Policy (DAP) record

2.blank.gif Username

3.blank.gif Group policy

4.blank.gif Group policy for the connection profile

5.blank.gif Default group policy

Therefore, DAP values for an attribute have a higher priority than those configured for a user, group policy, or connection profile.

When you enable or disable an attribute for a DAP record, the ASA applies that value and enforces it. For example, when you disable HTTP proxy in dap webvpn mode, the security appliance looks no further for a value. When you instead use the no value for the http-proxy command, the attribute is not present in the DAP record, so the security appliance moves down to the AAA attribute in the username, and if necessary, the group policy to find a value to apply. The ASA clientless SSL VPN configuration supports only one http-proxy and one https-proxy command each. We recommend that you use ASDM to configure DAP.

Connection Profiles

A connection profile consists of a set of records that determines tunnel connection policies. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to which connection information is sent. They also identify a default group policy for the connection, and they contain protocol-specific connection parameters. Connection profiles include a small number of attributes that pertain to creating the tunnel itself. Connection profiles include a pointer to a group policy that defines user-oriented attributes.

The ASA provides the following default connection profiles: DefaultL2Lgroup for LAN-to-LAN connections, DefaultRAgroup for remote access connections, and DefaultWEBVPNGroup for SSL VPN (browser-based) connections. You can modify these default connection profiles, but you cannot delete them. You can also create one or more connection profiles specific to your environment. Connection profiles are local to the ASA and are not configurable on external servers.

Connection profiles specify the following attributes:

General Connection Profile Connection Parameters

General parameters are common to all VPN connections. The general parameters include the following:

  • Connection profile name—You specify a connection-profile name when you add or edit a connection profile. The following considerations apply:

blank.gif For clients that use preshared keys to authenticate, the connection profile name is the same as the group name that a client passes to the ASA.

blank.gif Clients that use certificates to authenticate pass this name as part of the certificate, and the ASA extracts the name from the certificate.

  • Connection type—Connection types include IKEv1 remote-access, IPsec Lan-to-LAN, and Anyconnect (SSL/IKEv2). A connection profile can have only one connection type.
  • Authentication, Authorization, and Accounting servers—These parameters identify the server groups or lists that the ASA uses for the following purposes:

blank.gif Authenticating users

blank.gif Obtaining information about services users are authorized to access

blank.gif Storing accounting records

A server group can consist of one or more servers.

  • Default group policy for the connection—A group policy is a set of user-oriented attributes. The default group policy is the group policy whose attributes the ASA uses as defaults when authenticating or authorizing a tunnel user.
  • Client address assignment method—This method includes values for one or more DHCP servers or address pools that the ASA assigns to clients.
  • Override account disabled—This parameter lets you override the “account-disabled” indicator received from a AAA server.
  • Password management—This parameter lets you warn a user that the current password is due to expire in a specified number of days (the default is 14 days), then offer the user the opportunity to change the password.
  • Strip group and strip realm—These parameters direct the way the ASA processes the usernames it receives. They apply only to usernames received in the form user@realm.

A realm is an administrative domain appended to a username with the @ delimiter (user@abc). If you strip the realm, the ASA uses the username and the group (if present) for authentication. If you strip the group, the ASA uses the username and the realm (if present) for authentication.

Enter the strip-realm command to remove the realm qualifier, and enter the strip-group command to remove the group qualilfier from the username during authentication. If you remove both qualifiers, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm or username < delimiter > group string. You must specify strip-realm if your server is unable to parse delimiters.

In addition, for L2TP/IPsec clients only, when you specify the strip-group command the ASA selects the connection profile (tunnel group) for user connections by obtaining the group name from the username presented by the VPN client.

  • Authorization required—This parameter lets you require authorization before a user can connect, or turn off that requirement.
  • Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use when performing authorization.

IPsec Tunnel-Group Connection Parameters

IPsec parameters include the following:

  • A client authentication method: preshared keys, certificates, or both.

blank.gif For IKE connections based on preshared keys, this is the alphanumeric key itself (up to 128 characters long), associated with the connection policy.

blank.gif Peer-ID validation requirement—This parameter specifies whether to require validating the identity of the peer using the peer’s certificate.

blank.gif If you specify certificates or both for the authentication method, the end user must provide a valid certificate in order to authenticate.

  • An extended hybrid authentication method: XAUTH and hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for ASA authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID.

  • ISAKMP (IKE) keepalive settings. This feature lets the ASA monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the ASA removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.

There are various forms of IKE keepalives. For this feature to work, both the ASA and its remote peer must support a common form. This feature works with the following peers:

blank.gif Cisco AnyConnect VPN Client

blank.gif Cisco VPN Client (Release 3.0 and above)

blank.gif Cisco VPN 3000 Client (Release 2.x)

blank.gif Cisco VPN 3002 Hardware Client

blank.gif Cisco VPN 3000 Series Concentrators

blank.gif Cisco IOS software

blank.gif Cisco Secure PIX Firewall

Non-Cisco VPN clients do not support IKE keepalives.

If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.

If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend that you keep your idle timeout short. To change your idle timeout, see “Configuring Group Policies” section.

note.gif

Noteblank.gif To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalive mechanism prevents connections from idling and therefore from disconnecting.

If you do disable IKE keepalives, the client disconnects only when either its IKE or IPsec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.


note.gif

Noteblank.gif If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers have the same IKE keepalive configuration. Both peers must have IKE keepalives enabled or both peers must have it disabled.


  • If you configure authentication using digital certificates, you can specify whether to send the entire certificate chain (which sends the peer the identity certificate and all issuing certificates) or just the issuing certificates (including the root certificate and any subordinate CA certificates).
  • You can notify users who are using outdated versions of Windows client software that they need to update their client, and you can provide a mechanism for them to get the updated client version. For VPN 3002 hardware client users, you can trigger an automatic update. You can configure and change the client-update, either for all connection profiles or for particular connection profiles.
  • If you configure authentication using digital certificates, you can specify the name of the trustpoint that identifies the certificate to send to the IKE peer.

Connection Profile Connection Parameters for SSL VPN Sessions

Table 67-1 provides a list of connection profile attributes that are specific to SSL VPN (AnyConnect client and clientless) connections. In addition to these attributes, you configure general connection profile attributes common to all VPN connections. For step-by-step information about configuring connection profiles, see Configuring Connection Profiles for Clientless SSL VPN Sessions.

note.gif

Noteblank.gif In earlier releases, “connection profiles” were known as “tunnel groups.” You configure a connection profile with tunnel-group commands. This chapter often uses these terms interchangeably.


 

Table 67-1 Connection Profile Attributes for SSL VPN

Command
Function

authentication

Sets the authentication method, AAA or certificate.

customization

Identifies the name of a previously defined customization to apply. Customizations determine the appearance of the windows that the user sees upon login. You configure the customization parameters as part of configuring clientless SSL VPN.

nbns-server

Identifies the name of the NetBIOS Name Service server (nbns-server) to use for CIFS name resolution.

group-alias

Specifies one or more alternate names by which the server can refer to a connection profile. At login, the user selects the group name from a dropdown menu.

group-url

Identifies one or more group URLs. If you configure this attribute, users coming in on a specified URL need not select a group at login.

dns-group

Identifies the DNS server group that specifies the DNS server name, domain name, name server, number of retries, and timeout values for a DNS server to use for a connection profile.

hic-fail-group-policy

Specifies a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Group-Based Policy attribute to “Use Failure Group-Policy” or “Use Success Group-Policy, if criteria match.”

override-svc-download

Overrides downloading the group-policy or username attributes configured for downloading the AnyConnect VPN client to the remote user.

radius-reject-message

Enables the display of the RADIUS reject message on the login screen when authentication is rejected.

Configuring Connection Profiles

The following sections describe the contents and configuration of connection profiles:

You can modify the default connection profiles, and you can configure a new connection profile as any of the three tunnel-group types. If you don’t explicitly configure an attribute in a connection profile, that attribute gets its value from the default connection profile. The default connection-profile type is remote access. The subsequent parameters depend upon your choice of tunnel type. To see the current configured and default configuration of all your connection profiles, including the default connection profile, enter the show running-config all tunnel-group command.

Maximum Connection Profiles

The maximum number of connection profiles (tunnel groups) that an ASA can support is a function of the maximum number of concurrent VPN sessions for the platform + 5. For example, an ASA5505 can support a maximum of 25 concurrent VPN sessions allowing for 30 tunnel groups (25+5). Attempting to add an additional tunnel group beyond the limit results in the following message: "ERROR: The limit of 30 configured tunnel groups has been reached"

Table Table 67-2 specifies the maximum VPN sessions and connection profiles for each ASA platform.

Table 67-2 Maximum VPN Sessions and Connection Profiles Per ASA Platform

5505 Base/ Security Plus
5510/Base/ Security Plus
5520
5540
5550
5580-20
5580-40

Maximum VPN Sessions

10/25

250

750

5000

5000

10,000

10,000

Maximum Connection Profiles

15/30

255

755

5005

5005

10,005

10,005

Default IPsec Remote Access Connection Profile Configuration

The contents of the default remote-access connection profile are as follows:

tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
accounting-server-group RADIUS
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
authorization-dn-attributes CN OU
tunnel-group DefaultRAGroup webvpn-attributes
hic-fail-group-policy DfltGrpPolicy
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
dns-group DefaultDNS
tunnel-group DefaultRAGroup ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 1500 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication xauth
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
 

Configuring IPsec Tunnel-Group General Attributes

The general attributes are common across more than one tunnel-group type. IPsec remote access and clientless SSL VPN tunnels share most of the same general attributes. IPsec LAN-to-LAN tunnels use a subset. Refer to the command reference for complete descriptions of all commands. The following sections describe, in order, how to configure remote-access and LAN-to-LAN connection profiles.

Configuring Remote-Access Connection Profiles

Use an remote-access connection profile when setting up a connection between the following remote clients and a central-site ASA:

blank.gif Legacy Cisco VPN Client (connecting with IPsec/IKEv1)

blank.gif AnyConnect Secure Mobility Client (connecting with SSL or IPsec/IKEv2)

blank.gif Clientless SSL VPN (browser-based connecting with SSL)

blank.gif Cisco ASA5500 Easy VPN hardware client (connecting with IPsec/IKEv1)

blank.gif Cisco VPM 3002 hardware client (connecting with IPsec/IKEv1)

We also provide a default group policy named DfltGrpPolicy.

To configure an remote-access connection profile, first configure the tunnel-group general attributes, then the remote-access attributes. See the following sections:

Specifying a Name and Type for the Remote Access Connection Profile

Create the connection profile, specifying its name and type, by entering the tunnel-group command. For an remote-access tunnel, the type is remote-access:

hostname(config)# tunnel-group tunnel_group_name type remote-access
hostname(config)#
 

For example, to create an remote-access connection profile named TunnelGroup1, enter the following command:

hostname(config)# tunnel-group TunnelGroup1 type remote-access
hostname(config)#
 

Configuring Remote-Access Connection Profile General Attributes

To configure or change the connection profile general attributes, specify the parameters in the following steps.


Step 1blank.gif To configure the general attributes, enter the tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. The prompt changes to indicate the change in mode.

hostname(config)# tunnel-group tunnel_group_name general-attributes
hostname(config-tunnel-general)#
 

Step 2blank.gif Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the keyword LOCAL :

hostname(config-tunnel-general)# authentication-server-group [(interface_name)] groupname [LOCAL]
hostname(config-tunnel-general)#
 

The name of the authentication server group can be up to 16 characters long.

You can optionally configure interface-specific authentication by including the name of an interface after the group name. The interface name, which specifies where the tunnel terminates, must be enclosed in parentheses. The following command configures interface-specific authentication for the interface named test using the server named servergroup1 for authentication:

hostname(config-tunnel-general)# authentication-server-group (test) servergroup1
hostname(config-tunnel-general)#
 

Step 3blank.gif Specify the name of the authorization-server group, if any, to use. When you configure this value, users must exist in the authorization database to connect:

hostname(config-tunnel-general)# authorization-server-group groupname
hostname(config-tunnel-general)#
 

The name of the authorization server group can be up to 16 characters long. For example, the following command specifies the use of the authorization-server group FinGroup:

hostname(config-tunnel-general)# authorization-server-group FinGroup
hostname(config-tunnel-general)#
 

Step 4blank.gif Specify the name of the accounting-server group, if any, to use:

hostname(config-tunnel-general)# accounting-server-group groupname
hostname(config-tunnel-general)#
 

The name of the accounting server group can be up to 16 characters long. For example, the following command specifies the use of the accounting-server group named comptroller:

hostname(config-tunnel-general)# accounting-server-group comptroller
hostname(config-tunnel-general)#
 

Step 5blank.gif Specify the name of the default group policy:

hostname(config-tunnel-general)# default-group-policy policyname
hostname(config-tunnel-general)#
 

The name of the group policy can be up to 64 characters long. The following example sets DfltGrpPolicy as the name of the default group policy:

hostname(config-tunnel-general)# default-group-policy DfltGrpPolicy
hostname(config-tunnel-general)#
 

Step 6blank.gif Specify the names or IP addresses of the DHCP server (up to 10 servers), and the names of the DHCP address pools (up to 6 pools). The defaults are no DHCP server and no address pool. The dhcp-server command will allow you to configure the security appliance to send additional options to the specified DHCP servers when it is trying to get IP addresses for VPN clients. See the dhcp-server command in the Cisco Security Appliance Command Reference guide for more information.

hostname(config-tunnel-general)# dhcp-server server1 [...server10]
hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 [...address_pool6]
hostname(config-tunnel-general)#
 
note.gif

Noteblank.gif If you specify an interface name, you must enclosed it within parentheses.


You configure address pools with the ip local pool command in global configuration mode.

Step 7blank.gif Specify the name of the NAC authentication server group, if you are using Network Admission Control, to identify the group of authentication servers to be used for Network Admission Control posture validation. Configure at least one Access Control Server to support NAC. Use the aaa-server command to name the ACS group. Then use the nac-authentication-server-group command, using the same name for the server group.

The following example identifies acs-group1 as the authentication server group to be used for NAC posture validation:

hostname(config-group-policy)# nac-authentication-server-group acs-group1
hostname(config-group-policy)
 

The following example inherits the authentication server group from the default remote access group.

hostname(config-group-policy)# no nac-authentication-server-group
hostname(config-group-policy)
 
note.gif

Noteblank.gif NAC requires a Cisco Trust Agent on the remote host.


Step 8blank.gif Specify whether to strip the group or the realm from the username before passing it on to the AAA server. The default is not to strip either the group name or the realm.

hostname(config-tunnel-general)# strip-group
hostname(config-tunnel-general)# strip-realm
hostname(config-tunnel-general)#
 

A realm is an administrative domain. If you strip the realm, the ASA uses the username and the group (if present) authentication. If you strip the group, the ASA uses the username and the realm (if present) for authentication.Enter the strip-realm command to remove the realm qualifier, and use the strip-group command to remove the group qualilfier from the username during authentication. If you remove both qualifiers, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm or username < delimiter > group string. You must specify strip-realm if your server is unable to parse delimiters.

Step 9blank.gif Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password management.

note.gif

Noteblank.gif If you are using an LDAP directory server for authentication, password management is supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory.

Sun—The DN configured on the ASA to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.

Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

See the “Configuring Authorization with LDAP for VPN” section on page 35-16 for more information.


This feature, which is disabled by default, warns a user when the current password is about to expire. The default is to begin warning the user 14 days before expiration:

hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
 

If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration to begin warning the user about the pending expiration:

hostname(config-tunnel-general)# password-management [password-expire in days n]
hostname(config-tunnel-general)#
 
note.gif

Noteblank.gif The password-management command, entered in tunnel-group general-attributes configuration mode replaces the deprecated radius-with-expiry command that was formerly entered in tunnel-group ipsec-attributes mode.


When you configure the password-management command, the ASA notifies the remote user at login that the user’s current password is about to expire or has expired. The ASA then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. The ASA ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the ASA starts warning the user that the password is about to expire.

If you do specify the password-expire-in-days keyword, you must also specify the number of days.

Specifying this command with the number of days set to 0 disables this command. The ASA does not notify the user of the pending expiration, but the user can change the password after it expires.

See Configuring Microsoft Active Directory Settings for Password Management for more information.

note.gif

Noteblank.gif The ASA, releases 7.1 and later, generally supports password management for the AnyConnect VPN Client, the Cisco IPsec VPN Client, the SSL VPN full-tunneling client, and Clientless connections when authenticating with LDAP or with any RADIUS connection that supports MS-CHAPv2. Password management is not supported for any of these connection types for Kerberos/AD (Windows password) or NT 4.0 Domain.

Some RADIUS servers that support MS-CHAP do not currently support MS-CHAPv2. The password-management command requires MS-CHAPv2, so please check with your vendor.

The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the ASA perspective, it is talking only to a RADIUS server.

For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the ASA implements the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers. Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port 636.


Step 10blank.gif Optionally, configure the ability to override an account-disabled indicator from a AAA server, by entering the override-account-disable command:

hostname(config-tunnel-general)# override-account-disable
hostname(config-tunnel-general)#
 
note.gif

Noteblank.gif Allowing override-account-disable is a potential security risk.


Step 11blank.gif Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization:

hostname(config-tunnel-general)# authorization-dn-attributes {primary-attribute [secondary-attribute] | use-entire-name}
 

For example, the following command specifies the use of the CN attribute as the username for authorization:

hostname(config-tunnel-general)# authorization-dn-attributes CN
hostname(config-tunnel-general)#
 

The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), UID (User ID), and UPN (User Principal Name).

Step 12blank.gif Specify whether to require a successful authorization before allowing a user to connect. The default is not to require authorization.

hostname(config-tunnel-general)# authorization-required
hostname(config-tunnel-general)#
 


 

Configuring Double Authentication

Double authentication is an optional feature that requires a user to enter an additional authentication credential, such as a second username and password, on the login screen. Specify the following commands to configure double authentication.


Step 1blank.gif Specify the secondary authentication server group. This command specifies the AAA server group to use as the secondary AAA server.

note.gif

Noteblank.gif This command applies only to AnyConnect client VPN connections.


The secondary server group cannot specify an SDI server group. By default, no secondary authentication is required.

hostname(config-tunnel-general)# secondary-authentication-server-group [interface_name] {none | LOCAL | groupname [LOCAL]} [use-primary-name]
 

If you use the none keyword, no secondary authentication is required. The groupname value specifies the AAA server group name. Local specifies the use of the internal server database, and when used with the groupname value, LOCAL specifies fallback. For example, to set the primary authentication server group to sdi_group and the secondary authentication server group to ldap_server, enter the following commands:

hostname(config-tunnel-general)# authentication-server-group
hostname(config-tunnel-general)# secondary-authentication-server-group
 
note.gif

Noteblank.gif If you specify the use-primary-name keyword, then the login dialog requests only one username. In addition, if the usernames are extracted from a digital certificate, only the primary username is used for authentication.


Step 2blank.gif If obtaining the secondary username from a certificate, specify the secondary-username-from-certificate command:

hostname(config-tunnel-general)# secondary-username-from-certificate C | CN |... | use-script
 

The values for the DN fields to extract from the certificate for use as a secondary username are the same as for the primary username-from-certificate command. Alternatively, you can specify the use-script keyword, which directs the ASA to use a script file generated by ASDM.

For example, to specify the Common Name as the primary username field and Organizational Unit as the secondary username field, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes
hostname(config-tunnel-general)# username-from-certificate cn
hostname(config-tunnel-general)# secondary-username-from-certificate ou
 

Step 3blank.gif Specify the secondary-pre-fill-username command in tunnel-group webvpn-attributes mode to enable extracting a secondary username from a client certificate for use in authentication. Use the keywords to specify whether this command applies to a clientless connection or an SSL VPN (AnyConnect) client connection and whether you want to hide the extracted username from the end user. This feature is disabled by default. Clientless and SSL-client options can both exist at the same time, but you must configure them in separate commands.

hostname(config-tunnel-general)# secondary-pre-fill-username-from-certificate {clientless | ssl-client} [hide]
 

For example, to specify the use of pre-fill-username for both the primary and secondary authentication for a connection, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes
hostname(config-tunnel-general)# pre-fill-username ssl-client
hostname(config-tunnel-general)# secondary-pre-fill-username ssl-client
 

Step 4blank.gif Specify which authentication server to use to obtain the authorization attributes to apply to the connection. The primary authentication server is the default selection. This command is meaningful only for double authentication.

hostname(config-tunnel-general)# authentication-attr-from-server {primary | secondary}
 

For example, to specify the use of the secondary authentication server, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes
hostname(config-tunnel-general)# authentication-attr-from-server secondary
 

Step 5blank.gif Specify which authentication username, primary or secondary, to associate with the session. The default value is primary. With double authentication enabled, it is possible that two distinct usernames are authenticated for the session. The administrator must designate one of the authenticated usernames as the session username. The session username is the username provided for accounting, session database, syslogs, and debug output.

hostname(config-tunnel-general)# authenticated-session-username {primary | secondary}
 

For example, to specify that the authentication username associated with the session must come from the secondary authentication server, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes
hostname(config-tunnel-general)# authenticated-session-username secondary
 


 

Configuring Remote-Access Connection Profile IPsec IKEv1 Attributes

To configure the IPsec IKEv1 attributes for a remote-access connection profile, do the following steps. The following description assumes that you have already created the remote-access connection profile. Remote-access connection profiles have more attributes than LAN-to-LAN connection profiles:


Step 1blank.gif To specify the IPsec attributes of an remote-access tunnel-group, enter tunnel-group ipsec-attributes mode by entering the following command. The prompt changes to indicate the mode change:

hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
hostname(config-tunnel-ipsec)#
 

This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the remote-access tunnel-group IPsec attributes.

For example, the following command designates that the tunnel-group ipsec-attributes mode commands that follow pertain to the connection profile named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ipsec-attributes mode:

hostname(config)# tunnel-group TG1 type remote-access
hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-tunnel-ipsec)#
 

Step 2blank.gif Specify the preshared key to support IKEv1 connections based on preshared keys. For example, the following command specifies the preshared key xyzx to support IKEv1 connections for an IPsec IKEv1 remote access connection profile:

hostname(config-tunnel-ipsec)# ikev1 pre-shared-key xyzx
hostname(config-tunnel-ipsec)#
 

Step 3blank.gif Specify whether to validate the identity of the peer using the peer’s certificate:

hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)#
 

The available options are req (required), cert ( if supported by certificate), and nocheck ( do not check). The default is req.

For example, the following command specifies that peer-id validation is required:

hostname(config-tunnel-ipsec)# peer-id-validate req
hostname(config-tunnel-ipsec)#
 

Step 4blank.gif Specify whether to enable sending of a certificate chain. The following command includes the root certificate and any subordinate CA certificates in the transmission:

hostname(config-tunnel-ipsec)# chain
hostname(config-tunnel-ipsec)#
 

This attribute applies to all IPsec tunnel-group types.

Step 5blank.gif Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:

hostname(config-tunnel-ipsec)# ikev1 trust-point trust-point-name
hostname(config-tunnel-ipsec)#
 

The following command specifies mytrustpoint as the name of the certificate to be sent to the IKE peer:

hostname(config-ipsec)# ikev1 trust-point mytrustpoint
 

Step 6blank.gif Specify the ISAKMP keepalive threshold and the number of retries allowed.

hostname(config-tunnel-ipsec)# isakmp keepalive threshold <number> retry <number>
hostname(config-tunnel-ipsec)#
 

The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command:

For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds:

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10
hostname(config-tunnel-ipsec)#
 

The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the default value for the retry parameter is 2.

To specify that the central site (“head end”) should never initiate ISAKMP monitoring, enter the following command:

hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite
hostname(config-tunnel-ipsec)#
 

Step 7blank.gif Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for ASA authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:

a.blank.gif The ASA authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

b.blank.gif An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.

note.gif

Noteblank.gif Before the authentication type can be set to hybrid, you must configure the authentication server, create a preshared key, and configure a trustpoint.


You can use the isakmp ikev1-user-authentication command with the optional interface parameter to specify a particular interface. When you omit the interface parameter, the command applies to all the interfaces and serves as a back-up when the per-interface command is not specified. When there are two isakmp ikev1-user-authentication commands specified for a connection profile, and one uses the interface parameter and one does not, the one specifying the interface takes precedence for that particular interface.

For example, the following commands enable hybrid XAUTH on the inside interface for a connection profile called example-group:

hostname(config)# tunnel-group example-group type remote-access
hostname(config)# tunnel-group example-group ipsec-attributes
hostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication (inside) hybrid
hostname(config-tunnel-ipsec)#
 


 

Configuring IPsec Remote-Access Connection Profile PPP Attributes

To configure the Point-to-Point Protocol attributes for a remote-access connection profile, do the following steps. PPP attributes apply only to IPsec remote-access connection profiles. The following description assumes that you have already created the IPsec remote-access connection profile.


Step 1blank.gif Enter tunnel-group ppp-attributes configuration mode, in which you configure the remote-access tunnel-group PPP attributes, by entering the following command. The prompt changes to indicate the mode change:

hostname(config)# tunnel-group tunnel-group-name type remote-access
hostname(config)# tunnel-group tunnel-group-name ppp-attributes
hostname(config-tunnel-ppp)#
 

For example, the following command designates that the tunnel-group ppp-attributes mode commands that follow pertain to the connection profile named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ppp-attributes mode:

hostname(config)# tunnel-group TG1 type remote-access
hostname(config)# tunnel-group TG1 ppp-attributes
hostname(config-tunnel-ppp)#
 

Step 2blank.gif Specify whether to enable authentication using specific protocols for the PPP connection. The protocol value can be:

    • pap—Enables the use of Password Authentication Protocol for the PPP connection.
    • chap—Enables the use of Challenge Handshake Authentication Protocol for the PPP connection.
    • ms-chap-v1 or ms-chap-v2—Enables the use of Microsoft Challenge Handshake Authentication Protocol, version 1 or version 2 for the PPP connection.
    • eap—Enables the use of Extensible Authentication protocol for the PPP connection.

CHAP and MSCHAPv1 are enabled by default.

The syntax of this command is:

hostname(config-tunnel-ppp)# authentication protocol
hostname(config-tunnel-ppp)#
 

To disable authentication for a specific protocol, use the no form of the command:

hostname(config-tunnel-ppp)# no authentication protocol
hostname(config-tunnel-ppp)#
 

For example, the following command enables the use of the PAP protocol for a PPP connection.

hostname(config-tunnel-ppp)# authentication pap
hostname(config-tunnel-ppp)#
 

The following command enables the use of the MS-CHAP, version 2 protocol for a PPP connection:

hostname(config-tunnel-ppp)# authentication ms-chap-v2
hostname(config-tunnel-ppp)#
 

The following command enables the use of the EAP-PROXY protocol for a PPP connection:

hostname(config-tunnel-ppp)# authentication pap
hostname(config-tunnel-ppp)#
 

The following command disables the use of the MS-CHAP, version 1 protocol for a PPP connection:

hostname(config-tunnel-ppp)# no authentication ms-chap-v1
hostname(config-tunnel-ppp)#
 


 

Configuring LAN-to-LAN Connection Profiles

An IPsec LAN-to-LAN VPN connection profile applies only to LAN-to-LAN IPsec client connections. While many of the parameters that you configure are the same as for IPsec remote-access connection profiles, LAN-to-LAN tunnels have fewer parameters. The following sections show you how to configure a LAN-to-LAN connection profile:

Default LAN-to-LAN Connection Profile Configuration

The contents of the default LAN-to-LAN connection profile are as follows:

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
 

LAN-to-LAN connection profiles have fewer parameters than remote-access connection profiles, and most of these are the same for both groups. For your convenience in configuring the connection, they are listed separately here. Any parameters that you do not explicitly configure inherit their values from the default connection profile.

Specifying a Name and Type for a LAN-to-LAN Connection Profile

To specify a name and a type for a connection profile, enter the tunnel-group command, as follows:

hostname(config)# tunnel-group tunnel_group_name type tunnel_type
 

For a LAN-to-LAN tunnel, the type is ipsec-l2l.; for example, to create the LAN-to-LAN connection profile named docs, enter the following command:

hostname(config)# tunnel-group docs type ipsec-l2l
hostname(config)#
 

Configuring LAN-to-LAN Connection Profile General Attributes

To configure the connection profile general attributes, do the following steps:


Step 1blank.gif Enter tunnel-group general-attributes mode by specifying the general-attributes keyword:

hostname(config)# tunnel-group_tunnel-group-name general-attributes
hostname(config-tunnel-general)#
 

The prompt changes to indicate that you are now in config-general mode, in which you configure the tunnel-group general attributes.

For example, for the connection profile named docs, enter the following command:

hostname(config)# tunnel-group_docs general-attributes
hostname(config-tunnel-general)#

 

Step 2blank.gif Specify the name of the accounting-server group, if any, to use:

hostname(config-tunnel-general)# accounting-server-group groupname
hostname(config-tunnel-general)#
 

For example, the following command specifies the use of the accounting-server group acctgserv1:

hostname(config-tunnel-general)# accounting-server-group acctgserv1
hostname(config-tunnel-general)#
 

Step 3blank.gif Specify the name of the default group policy:

hostname(config-tunnel-general)# default-group-policy policyname
hostname(config-tunnel-general)#
 

For example, the following command specifies that the name of the default group policy is MyPolicy:

hostname(config-tunnel-general)# default-group-policy MyPolicy
hostname(config-tunnel-general)#
 


 

Configuring LAN-to-LAN IPsec IKEv1 Attributes

To configure the IPsec IKEv1 attributes, do the following steps:


Step 1blank.gif To configure the tunnel-group IPsec IKEv1 attributes, enter tunnel-group ipsec-attributes configuration mode by entering the tunnel-group command with the IPsec-attributes keyword.

hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
hostname(config-tunnel-ipsec)#
 

For example, the following command enters config-ipsec mode so you can configure the parameters for the connection profile named TG1:

hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-tunnel-ipsec)#
 

The prompt changes to indicate that you are now in tunnel-group ipsec-attributes configuration mode.

Step 2blank.gif Specify the preshared key to support IKEv1 connections based on preshared keys.

hostname(config-tunnel-ipsec)# ikev1 pre-shared-key key
hostname(config-tunnel-ipsec)#
 

For example, the following command specifies the preshared key XYZX to support IKEv1 connections for an LAN-to-LAN connection profile:

hostname(config-tunnel-ipsec)# ikev1 pre-shared-key xyzx
hostname(config-tunnel-general)#
 

Step 3blank.gif Specify whether to validate the identity of the peer using the peer’s certificate:

hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)#
 

The available options are req (required), cert ( if supported by certificate), and nocheck ( do not check). The default is req. For example, the following command sets the peer-id-validate option to nocheck :

hostname(config-tunnel-ipsec)# peer-id-validate nocheck
hostname(config-tunnel-ipsec)#
 

Step 4blank.gif Specify whether to enable sending of a certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission:

hostname(config-tunnel-ipsec)# chain
hostname(config-tunnel-ipsec)#
 

You can apply this attribute to all tunnel-group types.

Step 5blank.gif Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:

hostname(config-tunnel-ipsec)# trust-point trust-point-name
hostname(config-tunnel-ipsec)#
 

For example, the following command sets the trustpoint name to mytrustpoint:

hostname(config-tunnel-ipsec)# trust-point mytrustpoint
hostname(config-tunnel-ipsec)#
 

You can apply this attribute to all tunnel-group types.

Step 6blank.gif Specify the ISAKMP (IKE) keepalive threshold and the number of retries allowed. The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable ISAKMP keepalives, enter isakmp keepalive disable.

 

For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the retry interval to 10 seconds:

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10
hostname(config-tunnel-ipsec)#
 

The default value for the threshold parameter for LAN-to-LAN is 10, and the default value for the retry parameter is 2.

To specify that the central site (“head end”) should never initiate ISAKMP monitoring, enter the following command:

hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite
hostname(config-tunnel-ipsec)#
 

Step 7blank.gif Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for ASA authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:

a.blank.gif The ASA authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

b.blank.gif An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.

note.gif

Noteblank.gif Before the authentication type can be set to hybrid, you must configure the authentication server, create a preshared key, and configure a trustpoint.


For example, the following commands enable hybrid XAUTH for a connection profile called example-group:

hostname(config)# tunnel-group example-group type remote-access
hostname(config)# tunnel-group example-group ipsec-attributes
hostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication hybrid
hostname(config-tunnel-ipsec)#


 

Configuring Connection Profiles for Clientless SSL VPN Sessions

The tunnel-group general attributes for clientless SSL VPN connection profiles are the same as those for IPsec remote-access connection profiles, except that the tunnel-group type is webvpn and the strip-group and strip-realm commands do not apply. You define the attribute specific to clientless SSL VPN separately. The following sections describe how to configure clientless SSL VPN connection profiles:

Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions

To configure or change the connection profile general attributes, specify the parameters in the following steps.


Step 1blank.gif To configure the general attributes, enter tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. Note that the prompt changes:

hostname(config)# tunnel-group tunnel_group_name general-attributes
hostname(config-tunnel-general)#
 

To configure the general attributes for TunnelGroup3, created in the previous section, enter the following command:

hostname(config)# tunnel-group TunnelGroup3 general-attributes
hostname(config-tunnel-general)#
 

Step 2blank.gif Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the keyword LOCAL:

hostname(config-tunnel-general)# authentication-server-group groupname [LOCAL]
hostname(config-tunnel-general)#
 

For example, to configure the authentication server group named test, and to provide fallback to the LOCAL server if the authentication server group fails, enter the following command:

hostname(config-tunnel-general)# authentication-server-group test LOCAL
hostname(config-tunnel-general)#
 

The authentication-server-group name identifies a previously configured authentication server or group of servers. Use the aaa-server command to configure authentication servers. The maximum length of the group tag is 16 characters.

You can also configure interface-specific authentication by including the name of an interface in parentheses before the group name. The following interfaces are available by default:

    • inside—Name of interface GigabitEthernet0/1
    • outside— Name of interface GigabitEthernet0/0

Other interfaces you have configured (using the interface command) are also available. The following command configures interface-specific authentication for the interface named outside using the server servergroup1 for authentication:

hostname(config-tunnel-general)# authentication-server-group (outside) servergroup1
hostname(config-tunnel-general)#
 

Step 3blank.gif Optionally, specify the name of the authorization-server group, if any, to use. If you are not using authorization, go to Step 6. When you configure this value, users must exist in the authorization database to connect:

hostname(config-tunnel-general)# authorization-server-group groupname
hostname(config-tunnel-general)#
 

Use the aaa-server command to configure authorization servers. The maximum length of the group tag is 16 characters.

For example, the following command specifies the use of the authorization-server group FinGroup:

hostname(config-tunnel-general)# authorization-server-group FinGroup
hostname(config-tunnel-general)#
 

Step 4blank.gif Specify whether to require a successful authorization before allowing a user to connect. The default is not to require authorization.

hostname(config-tunnel-general)# authorization-required
hostname(config-tunnel-general)#
 

Step 5blank.gif Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization:

hostname(config-tunnel-general)# authorization-dn-attributes {primary-attribute [secondary-attribute] | use-entire-name}
 

For example, the following command specifies the use of the CN attribute as the username for authorization:

hostname(config-tunnel-general)# authorization-dn-attributes CN
hostname(config-tunnel-general)#
 

The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), UID (User ID), and UPN (User Principal Name).

Step 6blank.gif Optionally, specify the name of the accounting-server group, if any, to use. If you are not using accounting, go to Step 7. Use the aaa-server command to configure accounting servers. The maximum length of the group tag is 16 characters.:

hostname(config-tunnel-general)# accounting-server-group groupname
hostname(config-tunnel-general)#
 

For example, the following command specifies the use of the accounting-server group comptroller:

hostname(config-tunnel-general)# accounting-server-group comptroller
hostname(config-tunnel-general)#
 

Step 7blank.gif Optionally, specify the name of the default group policy. The default value is DfltGrpPolicy:

hostname(config-tunnel-general)# default-group-policy policyname
hostname(config-tunnel-general)#
 

The following example sets MyDfltGrpPolicy as the name of the default group policy:

hostname(config-tunnel-general)# default-group-policy MyDfltGrpPolicy
hostname(config-tunnel-general)#
 

Step 8blank.gif Optionally, specify the name or IP address of the DHCP server (up to 10 servers), and the names of the DHCP address pools (up to 6 pools). Separate the list items with spaces. The defaults are no DHCP server and no address pool.

hostname(config-tunnel-general)# dhcp-server server1 [...server10]
hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 [...address_pool6]
hostname(config-tunnel-general)#
 
note.gif

Noteblank.gif The interface name must be enclosed in parentheses.


You configure address pools with the ip local pool command in global configuration mode. See Chapter 68, “Configuring IP Addresses for VPNs” for information about configuring address pools.

Step 9blank.gif Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password management.

note.gif

Note If you are using an LDAP directory server for authentication, password management is supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory.

  • Sun—The DN configured on the ASA to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
  • Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

See the “Configuring Authorization with LDAP for VPN” section on page 35-16 for more information.


 

This feature, which is enabled by default, warns a user when the current password is about to expire. The default is to begin warning the user 14 days before expiration:

hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
 

If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration to begin warning the user about the pending expiration:

hostname(config-tunnel-general)# password-management [password-expire in days n]
hostname(config-tunnel-general)#
 
note.gif

Noteblank.gif The password-management command, entered in tunnel-group general-attributes configuration mode replaces the deprecated radius-with-expiry command that was formerly entered in tunnel-group ipsec-attributes mode.


When you configure this command, the ASA notifies the remote user at login that the user’s current password is about to expire or has expired. The ASA then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. The ASA ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the ASA starts warning the user that the password is about to expire.

If you do specify the password-expire-in-days keyword, you must also specify the number of days.

See Configuring Microsoft Active Directory Settings for Password Management for more information.

Step 10blank.gif Specifying this command with the number of days set to 0 disables this command. The ASA does not notify the user of the pending expiration, but the user can change the password after it expires.Optionally, configure the ability to override an account-disabled indicator from the AAA server, by entering the override-account-disable command:

hostname(config-tunnel-general)# override-account-disable
hostname(config-tunnel-general)#
 
note.gif

Noteblank.gif Allowing override account-disabled is a potential security risk.



 

Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions

To configure the parameters specific to a clientless SSL VPN connection profile, follow the steps in this section. Clientless SSL VPN was formerly known as WebVPN, and you configure these attributes in tunnel-group webvpn-attributes mode.


Step 1blank.gif To specify the attributes of a clientless SSL VPN tunnel-group, enter tunnel-group webvpn-attributes mode by entering the following command. The prompt changes to indicate the mode change:

hostname(config)# tunnel-group tunnel-group-name webvpn-attributes
hostname(config-tunnel-ipsec)#
 

For example, to specify the webvpn-attributes for the clientless SSL VPN tunnel-group named sales, enter the following command:

hostname(config)# tunnel-group sales webvpn-attributes
hostname(config-tunnel-webvpn)#
 

Step 2blank.gif To specify the authentication method to use: AAA, digital certificates, or both, enter the authentication command. You can specify either aaa or certificate or both, in any order.

hostname(config-tunnel-webvpn)# authentication authentication_method
hostname(config-tunnel-webvpn)#
 

For example, The following command allows both AAA and certificate authentication:

hostname(config-tunnel-webvpn)# authentication aaa certificate
hostname(config-tunnel-webvpn)#
 

Applying Customization

Customizations determine the appearance of the windows that the user sees upon login. You configure the customization parameters as part of configuring clientless SSL VPN.

To apply a previously defined web-page customization to change the look-and-feel of the web page that the user sees at login, enter the customization command in username webvpn configuration mode:

hostname(config-username-webvpn)# customization {none | value customization_name}
hostname(config-username-webvpn)#
 

For example, to use the customization named blueborder, enter the following command:

hostname(config-username-webvpn)# customization value blueborder
hostname(config-username-webvpn)#
 

You configure the customization itself by entering the customization command in webvpn mode.

The following example shows a command sequence that first establishes a customization named “123” that defines a password prompt. The example then defines a clientless SSL VPN tunnel-group named “test” and uses the customization command to specify the use of the customization named “123”:

hostname(config)# webvpn
hostname(config-webvpn)# customization 123
hostname(config-webvpn-custom)# password-prompt Enter password
hostname(config-webvpn)# exit
hostname(config)# tunnel-group test type webvpn
hostname(config)# tunnel-group test webvpn-attributes
hostname(config-tunnel-webvpn)# customization value 123
hostname(config-tunnel-webvpn)#
 

Step 3blank.gif The ASA queries NetBIOS name servers to map NetBIOS names to IP addresses. Clientless SSL VPN requires NetBIOS to access or share files on remote systems. Clientless SSL VPN uses NetBIOS and the CIFS protocol to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific NetBIOS name that identifies a resource on the network.

To make the NBNS function operational, you must configure at least one NetBIOS server (host). You can configure up to three NBNS servers for redundancy. The ASA uses the first server on the list for NetBIOS/CIFS name resolution. If the query fails, it uses the next server.

To specify the name of the NBNS (NetBIOS Name Service) server to use for CIFS name resolution, use the nbns-server command. You can enter up to three server entries. The first server you configure is the primary server, and the others are backups, for redundancy. You can also specify whether this is a master browser (rather than just a WINS server), the timeout interval, and the number of retries. A WINS server or a master browser is typically on the same network as the ASA, or reachable from that network. You must specify the timeout interval before the number of retries:

hostname(config-tunnel-webvpn)# nbns-server {host-name | IP_address} [master] [timeout seconds] [retry number]
hostname(config-tunnel-webvpn)#
 

For example, to configure the server named nbnsprimary as the primary server and the server 192.168.2.2 as the secondary server, each allowing three retries and having a 5-second timeout, enter the following command:

hostname(config)# name 192.168.2.1 nbnsprimary
hostname(config-tunnel-webvpn)# nbns-server nbnsprimary master timeout 5 retry 3
hostname(config-tunnel-webvpn)# nbns-server 192.168.2.2 timeout 5 retry 3
hostname(config-tunnel-webvpn)#
 

The timeout interval can range from 1 through 30 seconds (default 2), and the number of retries can be in the range 0 through 10 (default 2).

The nbns-server command in tunnel-group webvpn-attributes configuration mode replaces the deprecated nbns-server command in webvpn configuration mode.

Step 4blank.gif To specify alternative names for the group, use the group-alias command. Specifying the group alias creates one or more alternate names by which the user can refer to a tunnel-group. The group alias that you specify here appears in the drop-down list on the user’s login page. Each group can have multiple aliases or no alias, each specified in separate commands. This feature is useful when the same group is known by several common names, such as “Devtest” and “QA”.

For each group alias, enter a group-alias command. Each alias is enabled by default. You can optionally explicitly enable or disable each alias:

hostname(config-tunnel-webvpn)# group-alias alias [enable | disable]
hostname(config-tunnel-webvpn)#
 

For example, to enable the aliases QA and Devtest for a tunnel-group named QA, enter the following commands:

hostname(config-tunnel-webvpn)# group-alias QA enable
hostname(config-tunnel-webvpn)# group-alias Devtest enable
hostname(config-tunnel-webvpn)#
 
note.gif

Noteblank.gif The webvpn tunnel-group-list must be enabled for the (dropdown) group list to appear.


Step 5blank.gif To specify incoming URLs or IP addresses for the group, use the group-url command. Specifying a group URL or IP address eliminates the need for the user to select a group at login. When a user logs in, the ASA looks for the user’s incoming URL or address in the tunnel-group-policy table. If it finds the URL or address and if group-url is enabled in the connection profile, then the ASA automatically selects the associated connection profile and presents the user with only the username and password fields in the login window. This simplifies the user interface and has the added advantage of never exposing the list of groups to the user. The login window that the user sees uses the customizations configured for that connection profile.

If the URL or address is disabled and group-alias is configured, then the dropdown list of groups is also displayed, and the user must make a selection.

You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be enabled or disabled individually. You must use a separate group-url command for each URL or address specified. You must specify the entire URL or address, including either the http or https protocol.

You cannot associate the same URL or address with multiple groups. The ASA verifies the uniqueness of the URL or address before accepting the URL or address for a connection profile.

For each group URL or address, enter a group-url command. You can optionally explicitly enable (the default) or disable each URL or alias:

hostname(config-tunnel-webvpn)# group-url url [enable | disable]
hostname(config-tunnel-webvpn)#

 

For example, to enable the group URLs http://www.cisco.com and http://192.168.10.10 for the tunnel-group named RadiusServer, enter the following commands:

hostname(config)# tunnel-group RadiusServer type webvpn
hostname(config)# tunnel-group RadiusServer general-attributes
hostname(config-tunnel-general)# authentication server-group RADIUS
hostname(config-tunnel-general)# accounting-server-group RADIUS
hostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributes
hostname(config-tunnel-webvpn)# group-alias “Cisco Remote Access” enable
hostname(config-tunnel-webvpn)# group-url http://www.cisco.com enable
hostname(config-tunnel-webvpn)# group-url http://192.168.10.10 enable
hostname(config-tunnel-webvpn)#
 

For a more extensive example, see Customizing Login Windows for Users of Clientless SSL VPN sessions.

Step 6blank.gif To exempt certain users from running Cisco Secure Desktop on a per connection profile basis if they enter one of the group-urls, enter the following command:

hostname(config-tunnel-webvpn)# without-csd
hostname(config-tunnel-webvpn)#
note.gif

Noteblank.gif Entering this command prevents the detection of endpoint conditions for these sessions, so you may need to adjust the dynamic access policy (DAP) configuration.


Step 7blank.gif To specify the DNS server group to use for a connection profile for clientless SSL VPN sessions, use the dns-group command. The group you specify must be one you already configured in global configuration mode (using the dns server-group and name-server commands).

By default, the connection profile uses the DNS server group DefaultDNS. However, this group must be configured before the security appliance can resolve DNS requests.

The following example configures a new DNS server group named corp_dns and specifies that server group for the connection profile telecommuters:

hostname(config)# dns server-group corp_dns
hostname(config-dns-server-group)# domain-name cisco.com
hostname(config-dns-server-group)# name-server 209.165.200.224
 
hostname(config)# tunnel-group telecommuters webvpn-attributes
hostname(config-tunnel-webvpn)# dns-group corp_dns
hostname(config-tunnel-webvpn)#
 

Step 8blank.gif (Optional) To enable extracting a username from a client certificate for use in authentication and authorization, use the pre-fill-username command in tunnel-group webvpn-attributes mode. There is no default value.

hostname(config)# pre-fill-username {ssl-client | clientless}
 

The pre-fill-username command enables the use of a username extracted from the certificate field specified in the username-from-certificate command (in tunnel-group general-attributes mode) as the username for username/password authentication and authorization. To use this pre-fill username from certificate feature, you must configure both commands.

note.gif

Noteblank.gif In Release 8.0.4, the username is not pre-filled; instead, any data sent in the username field is ignored.


The following example, entered in global configuration mode, creates an IPsec remote access tunnel group named remotegrp, enables getting the username from a certificate, and specifies that the name for an authentication or authorization query for an SSL VPN client must be derived from a digital certificate:

hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp general-attributes
hostname(config-tunnel-general)# username-from-certificate CN OU
hostname(config)# tunnel-group remotegrp webvpn-attributes
hostname(config-tunnel-webvpn)# pre-fill-username ssl-client
hostname(config-tunnel-webvpn)#
 

Step 9blank.gif (Optional) To specify whether to override the group policy or username attributes configuration for downloading an AnyConnect or SSL VPN client, use the override-svc-download command. This feature is disabled by default.

The security appliance allows clientless or AnyConnect client connections for remote users based on whether clientless and/or SSL VPN is enabled in the group policy or username attributes with the vpn-tunnel-protocol command. The anyconnect ask command further modifies the client user experience by prompting the user to download the client or return to the WebVPN home page.

However, you might want clientless users logging in under specific tunnel groups to not experience delays waiting for the download prompt to expire before being presented with the clientless SSL VPN home page. You can prevent delays for these users at the connection profile level with the override-svc-download command. This command causes users logging through a connection profile to be immediately presented with the clientless SSL VPN home page regardless of the vpn-tunnel-protocol or anyconnect ask command settings.

In the following example, the you enter tunnel-group webvpn attributes configuration mode for the connection profile engineering and enable the connection profile to override the group policy and username attribute settings for client download prompts:

hostname(config)# tunnel-group engineering webvpn-attributes
hostname(config-tunnel-webvpn)# override-svc-download
 

Step 10blank.gif (Optional) To enable the display of a RADIUS reject message on the login screen when authentication is rejected, use the radius-eject-message command:

The following example enables the display of a RADIUS rejection message for the connection profile named engineering:

hostname(config)# tunnel-group engineering webvpn-attributes
hostname(config-tunnel-webvpn)# radius-reject-message
 


 

Customizing Login Windows for Users of Clientless SSL VPN sessions

You can set up different login windows for different groups by using a combination of customization profiles and connection profiles. For example, assuming that you had created a customization profile called salesgui, you can create a connection profile for clientless SSL VPN sessions called sales that uses that customization profile, as the following example shows:


Step 1blank.gif In webvpn mode, define a customization for clientless SSL VPN access, in this case named salesgui and change the default logo to mycompanylogo.gif. You must have previously loaded mycompanylogo.gif onto the flash memory of the ASA and saved the configuration. See “ Chapter 74, “Configuring Clientless SSL VPN” ” for details.

hostname# webvpn
hostname (config-webvpn)# customization value salesgui
hostname(config-webvpn-custom)# logo file disk0:\mycompanylogo.gif
hostname(config-webvpn-custom)#
 

Step 2blank.gif In global configuration mode, set up a username and associate with it the customization for clientless SSL VPN that you’ve just defined:

hostname# username seller attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# customization value salesgui
hostname(config-username-webvpn)# exit
hostname(config-username)# exit
hostname#
 

Step 3blank.gif In global configuration mode, create a tunnel-group for clientless SSL VPN sessions named sales:

hostname# tunnel-group sales type webvpn
hostname(config-tunnel-webvpn)#
 

Step 4blank.gif Specify that you want to use the salesgui customization for this connection profile:

hostname# tunnel-group sales webvpn-attributes
hostname(config-tunnel-webvpn)# customization salesgui
 

Step 5blank.gif Set the group URL to the address that the user enters into the browser to log in to the ASA; for example, if the ASA has the IP address 192.168.3.3, set the group URL to https://192.168.3.3:

hostname(config-tunnel-webvpn)# group-url https://192.168.3.3.
hostname(config-tunnel-webvpn)#
 

If a port number is required for a successful login, include the port number, preceded by a colon. The ASA maps this URL to the sales connection profile and applies the salesgui customization profile to the login screen that the user sees upon logging in to https://192.168.3.3.


 

Configuring Microsoft Active Directory Settings for Password Management

note.gif

Note If you are using an LDAP directory server for authentication, password management is supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory.

  • Sun—The DN configured on the ASA to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
  • Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

See the “Configuring Authorization with LDAP for VPN” section on page 35-16 for more information.


 

To use password management with Microsoft Active Directory, you must set certain Active Directory parameters as well as configuring password management on the ASA. This section describes the Active Directory settings associated with various password management actions. These descriptions assume that you have also enabled password management on the ASA and configured the corresponding password management attributes. The specific steps in the following sections refer to Active Directory terminology under Windows 2000.

The following sections assume that you are using an LDAP directory server for authentication.

Using Active Directory to Force the User to Change Password at Next Logon

To force a user to change the user password at the next logon, specify the password-management command in tunnel-group general-attributes configuration mode on the ASA and do the following steps under Active Directory:


Step 1blank.gif Select to Start > Programs > Administrative Tools > Active Directory Users and Computers (Figure 67-1).

Figure 67-1 Active Directory—Administrative Tools Menu

 

153981.jpg

Step 2blank.gif Right-click Username > Properties > Account.

Step 3blank.gif Check the check box for User must change password at next logon (Figure 67-2).

Figure 67-2 Active Directory—User Must Change Password at Next Logon

 

153985.jpg


 

The next time this user logs on, the ASA displays the following prompt: “New password required. Password change required. You must enter a new password with a minimum length n to continue.” You can set the minimum required password length, n, as part of the Active Directory configuration at Start > Programs > Administrative Tools > Domain Security Policy > Windows Settings > Security Settings > Account Policies > Password Policy. Select Minimum password length.

Using Active Directory to Specify Maximum Password Age

To enhance security, you can specify that passwords expire after a certain number of days. To specify a maximum password age for a user password, specify the password-management command in tunnel-group general-attributes configuration mode on the ASA and do the following steps under Active Directory:


Step 1blank.gif Select Start > Programs > Administrative Tools > Domain Security Policy > Windows Settings > Security Settings > Account Policies > Password Policy.

Step 2blank.gif Double-click Maximum password age. This opens the Security Policy Setting dialog box.

Step 3blank.gif Check the Define this policy setting check box and specify the maximum password age, in days, that you want to allow.

Figure 67-3 Active Directory—Maximum Password Age

 

153983.jpg


 

note.gif

Noteblank.gif The radius-with-expiry command, formerly configured as part of tunnel-group remote-access configuration to perform the password age function, is deprecated. The password-management command, entered in tunnel-group general-attributes mode, replaces it.


Using Active Directory to Override an Account Disabled AAA Indicator

To override an account-disabled indication from a AAA server, specify the override-account-disable command in tunnel-group general-attributes configuration mode on theASA and do the following steps under Active Directory:

note.gif

Noteblank.gif Allowing override account-disabled is a potential security risk.



Step 1blank.gif Select Start > Programs > Administrative Tools > Active Directory Users and Computers.

Step 2blank.gif Right-click Username > Properties > Account and select Disable Account from the menu.

Figure 67-4 Active Directory—Override Account Disabled

 

153980.jpg


 

The user should be able to log on successfully, even though a AAA server provides an account-disabled indicator.

Using Active Directory to Enforce Minimum Password Length

To enforce a minimum length for passwords, specify the password-management command in tunnel-group general-attributes configuration mode on the ASA and do the following steps under Active Directory:


Step 1blank.gif Select Start > Programs > Administrative Tools > Domain Security Policy.

Step 2blank.gif Select Windows Settings > Security Settings > Account Policies > Password Policy.

Step 3blank.gif Double-click Minimum Password Length. This opens the Security Policy Setting dialog box.

Step 4blank.gif Check the Define this policy setting check box and specify the minimum number of characters that the password must contain.

Figure 67-5 Active Directory—Minimum Password Length

 

153984.jpg

Using Active Directory to Enforce Password Complexity

To enforce complex passwords—for example, to require that a password contain upper- and lowercase letters, numbers, and special characters—specify the password-management command in tunnel-group general-attributes configuration mode on the ASA and do the following steps under Active Directory:


Step 1blank.gif Select Start > Programs > Administrative Tools > Domain Security Policy. Select Windows Settings > Security Settings > Account Policies > Password Policy.

Step 2blank.gif Double-click Password must meet complexity requirements to open the Security Policy Setting dialog box.

Step 3blank.gif Check the Define this policy setting check box and select Enable.

Figure 67-6 Active Directory—Enforce Password Complexity

 

153982.jpg


 

Enforcing password complexity takes effect only when the user changes passwords; for example, when you have configured Enforce password change at next login or Password expires in n days. At login, the user receives a prompt to enter a new password, and the system will accept only a complex password.

Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client

This section describes procedures to ensure that the AnyConnect VPN client using RSA SecureID Software tokens can properly respond to user prompts delivered to the client through a RADIUS server proxying to an SDI server(s). This section contains the following topics:

note.gif

Noteblank.gif If you have configured the double-authentication feature, SDI authentication is supported only on the primary authentication server.


AnyConnect Client and RADIUS/SDI Server Interaction

When a remote user connects to the ASA with the AnyConnect VPN client and attempts to authenticate using an RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server about the authentication.

During authentication, the RADIUS server presents access challenge messages to the ASA. Within these challenge messages are reply messages containing text from the SDI server. The message text is different when the ASA is communicating directly with an SDI server than when communicating through the RADIUS proxy. Therefore, in order to appear as a native SDI server to the AnyConnect client, the ASA must interpret the messages from the RADIUS server.

Also, because the SDI messages are configurable on the SDI server, the message text on the ASA must match (in whole or in part) the message text on the SDI server. Otherwise, the prompts displayed to the remote client user may not be appropriate for the action required during authentication. The AnyConnect client may fail to respond and authentication may fail.

The following section describes how to configure the ASA to ensure successful authentication between the client and the SDI server:

Configuring the Security Appliance to Support RADIUS/SDI Messages

The following section describes the steps to configure the ASA to interpret SDI-specific RADIUS reply messages and prompt the AnyConnect user for the appropriate action:


Step 1blank.gif Configure a connection profile (tunnel group) to forward RADIUS reply messages in a manner that simulates direct communication with an SDI server using the proxy-auth sdi command from tunnel-group webvpn configuration mode. Users authenticating to the SDI server must connect over this connection profile.

For example:

hostname(config)# tunnel-group sales webvpn attributes
hostname(tunnel-group-webvpn)# proxy-auth sdi
 

Step 2blank.gif Configure the RADIUS reply message text on the ASA to match (in whole or in part) the message text sent by the RADIUS server with the proxy-auth_map sdi command from tunnel-group webvpn configuration mode.

The default message text used by the ASA is the default message text used by Cisco Secure Access Control Server (ACS). If you are using Cisco Secure ACS, and it is using the default message text, you do not need to configure the message text on the ASA. Otherwise, use the proxy-auth_map sdi command to ensure the message text matches.

Table 67-3 shows the message code, the default RADIUS reply message text, and the function of each message. Because the security appliance searches for strings in the order that they appear in the table, you must ensure that the string you use for the message text is not a subset of another string.

For example, “new PIN” is a subset of the default message text for both new-pin-sup and next-ccode-and-reauth. If you configure new-pin-sup as “new PIN”, when the security appliance receives “new PIN with the next card code” from the RADIUS server, it will match the text to the new-pin-sup code instead of the next-ccode-and-reauth code.

Table 67-3 SDI Op-codes, Default Message Text, and Message Function

Message Code
Default RADIUS Reply Message Text
Function

next-code

Enter Next PASSCODE

Indicates the user must enter the NEXT tokencode without the PIN.

new-pin-sup

Please remember your new PIN

Indicates the new system PIN has been supplied and displays that PIN for the user.

new-pin-meth

Do you want to enter your own pin

Requests from the user which new PIN method to use to create a new PIN.

new-pin-req

Enter your new Alpha-Numerical PIN

Indicates a user-generated PIN and requests that the user enter the PIN.

new-pin-reenter

Reenter PIN:

Used internally by the ASA for user-supplied PIN confirmation. The client confirms the PIN without prompting the user.

new-pin-sys-ok

New PIN Accepted

Indicates the user-supplied PIN was accepted.

next-ccode-and-reauth

new PIN with the next card code

Follows a PIN operation and indicates the user must wait for the next tokencode and to enter both the new PIN and next tokencode to authenticate.

ready-for-sys-
pin

ACCEPT A SYSTEM GENERATED PIN

Used internally by the ASA to indicate the user is ready for the system-generated PIN.

The following example enters aaa-server-host mode and changes the text for the RADIUS reply message new-pin-sup :

hostname(config)# aaa-server radius_sales host 10.10.10.1
hostname(config-aaa-server-host)# proxy-auth_map sdi new-pin-sup “This is your new PIN”

Group Policies

This section describes group policies and how to configure them. It includes the following sections:

A group policy is a set of user-oriented attribute/value pairs for IPsec connections that are stored either internally (locally) on the device or externally on a RADIUS server. The connection profile uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user.

Enter the group-policy commands in global configuration mode to assign a group policy to users or to modify a group policy for specific users.

The ASA includes a default group policy. In addition to the default group policy, which you can modify but not delete, you can create one or more group policies specific to your environment.

You can configure internal and external group policies. Internal groups are configured on the ASA’s internal database. External groups are configured on an external authentication server, such as RADIUS. Group policies include the following attributes:

  • Identity
  • Server definitions
  • Client firewall settings
  • Tunneling protocols
  • IPsec settings
  • Hardware client settings
  • Filters
  • Client configuration settings
  • Connection settings

 

Default Group Policy

The ASA supplies a default group policy. You can modify this default group policy, but you cannot delete it. A default group policy, named DfltGrpPolicy, always exists on the ASA, but this default group policy does not take effect unless you configure the ASA to use it. When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy. To view the default group policy, enter the following command:

hostname(config)# show running-config all group-policy DfltGrpPolicy
hostname(config)#
 

To configure the default group policy, enter the following command:

hostname(config)# group-policy DfltGrpPolicy internal
hostname(config)#
 
note.gif

Noteblank.gif The default group policy is always internal. Despite the fact that the command syntax is
hostname(config)# group-policy DfltGrpPolicy {internal | external}, you cannot change its type to external.


To change any of the attributes of the default group policy, use the group-policy attributes command to enter attributes mode, then specify the commands to change whatever attributes that you want to modify:

hostname(config)# group-policy DfltGrpPolicy attributes
 
note.gif

Noteblank.gif The attributes mode applies only to internal group policies.


The default group policy, DfltGrpPolicy, that the ASA provides is as follows:

show run all group-policy DfltGrpPolicy
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
html-content-filter none
port-forward name Application Access
port-forward disable
http-proxy disable
sso-server none
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface private none
anyconnect firewall-rule client-interface public none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 300
anyconnect ssl compression none
anyconnect modules none
anyconnect profiles none
anyconnect ask none
customization none
keep-alive-ignore 4
http-comp gzip
download-max-size 2147483647
upload-max-size 2147483647
post-max-size 2147483647
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria
have not been met or due to some specific group policy, you do not have
permission to use any of the VPN features.
Contact your IT administrator for more information
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting
 

You can modify the default group policy, and you can also create one or more group policies specific to your environment.

Configuring Group Policies

A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter, the group takes the value from the default group policy. To configure a group policy, follow the steps in the subsequent sections.

Configuring an External Group Policy

External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the AAA server group that the ASA can query for attributes and specify the password to use when retrieving attributes from the external AAA server group. If you are using an external authentication server, and if your external group-policy attributes exist in the same RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name duplication between them.

note.gif

Noteblank.gif External group names on the ASA refer to user names on the RADIUS server. In other words, if you configure external group X on the ASA, the RADIUS server sees the query as an authentication request for user X. So external groups are really just user accounts on the RADIUS server that have special meaning to the ASA. If your external group attributes exist in the same RADIUS server as the users that you plan to authenticate, there must be no name duplication between them


The ASA supports user authorization on an external LDAP or RADIUS server. Before you configure the ASA to use an external server, you must configure the server with the correct ASA authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions in Appendix C, “Configuring an External Server for Authorization and Authentication” to configure your external server.

To configure an external group policy, do the following steps specify a name and type for the group policy, along with the server-group name and a password:

hostname(config)# group-policy group_policy_name type server-group server_group_name password server_password
hostname(config)#
 
note.gif

Noteblank.gif For an external group policy, RADIUS is the only supported AAA server type.


For example, the following command creates an external group policy named ExtGroup that gets its attributes from an external RADIUS server named ExtRAD and specifies that the password to use when retrieving the attributes is newpassword:

hostname(config)# group-policy ExtGroup external server-group ExtRAD password newpassword
hostname(config)#
 
note.gif

Noteblank.gif You can configure several vendor-specific attributes (VSAs), as described in Appendix C, “Configuring an External Server for Authorization and Authentication”. If a RADIUS server is configured to return the Class attribute (#25), the ASA uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the ASA—for example, OU=Finance.


Configuring an Internal Group Policy

To configure an internal group policy, specify a name and type for the group policy:

hostname(config)# group-policy group_policy_name type
hostname(config)#
 

For example, the following command creates the internal group policy named GroupPolicy1:

hostname(config)# group-policy GroupPolicy1 internal
hostname(config)#
 

The default type is internal.

You can initialize the attributes of an internal group policy to the values of a preexisting group policy by appending the keyword from and specifying the name of the existing policy:

hostname(config)# group-policy group_policy_name internal from group_policy_name
hostname(config-group-policy)#
hostname(config-group-policy)#
 

Configuring Group Policy Attributes

For internal group policies, you can specify particular attribute values. To begin, enter group-policy attributes mode, by entering the group-policy attributes command in global configuration mode.

hostname(config)# group-policy name attributes
hostname(config-group-policy)#
 

The prompt changes to indicate the mode change. The group-policy-attributes mode lets you configure attribute-value pairs for a specified group policy. In group-policy-attributes mode, explicitly configure the attribute-value pairs that you do not want to inherit from the default group. The commands to do this are described in the following sections.

Configuring WINS and DNS Servers

You can specify primary and secondary WINS servers and DNS servers. The default value in each case is none. To specify these servers, do the following steps:


Step 1blank.gif Specify the primary and secondary WINS servers:

hostname(config-group-policy)# wins-server value {ip_address [ip_address] | none}
hostname(config-group-policy)#
 

The first IP address specified is that of the primary WINS server. The second (optional) IP address is that of the secondary WINS server. Specifying the none keyword instead of an IP address sets WINS servers to a null value, which allows no WINS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter the wins-server command, you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same is true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command.

The following example shows how to configure WINS servers with the IP addresses 10.10.10.15 and 10.10.10.30 for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# wins-server value 10.10.10.15 10.10.10.30
hostname(config-group-policy)#
 

Step 2blank.gif Specify the primary and secondary DNS servers:

hostname(config-group-policy)# dns-server value {ip_address [ip_address] | none}
hostname(config-group-policy)#
 

The first IP address specified is that of the primary DNS server. The second (optional) IP address is that of the secondary DNS server. Specifying the none keyword instead of an IP address sets DNS servers to a null value, which allows no DNS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter the dns-server command you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same is true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.

The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, and 10.10.10.30 for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# dns-server value 10.10.10.15 10.10.10.30
hostname(config-group-policy)#
 

Step 3blank.gif Configure the DHCP network scope:

hostname(config-group-policy)# dhcp-network-scope {ip_address | none}
hostname(config-group-policy)#
 

DHCP scope specifies the range of IP addresses (that is, a subnetwork) that the ASA DHCP server should use to assign addresses to users of this group policy.

The following example shows how to set an IP subnetwork of 10.10.85.0 (specifying the address range of 10.10.85.0 through 10.10.85.255) for the group policy named First Group:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# dhcp-network-scope 10.10.85.0
 


 

Configuring VPN-Specific Attributes

Follow the steps in this section to set the VPN attribute values. The VPN attributes control the access hours, the number of simultaneous logins allowed, the timeouts, the egress VLAN or ACL to apply to VPN sessions, and the tunnel protocol:


Step 1blank.gif Set the VPN access hours. To do this, you associate a group policy with a configured time-range policy, using the vpn-access-hours command in group-policy configuration mode.

hostname(config-group-policy)# vpn-access-hours value {time-range | none}
 

A group policy can inherit a time-range value from a default or specified group policy. To prevent this inheritance, enter the none keyword instead of the name of a time-range in this command. This keyword sets VPN access hours to a null value, which allows no time-range policy.

The time-range variable is the name of a set of access hours defined in global configuration mode using the time-range command. The following example shows how to associate the group policy named FirstGroup with a time-range policy called 824:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-access-hours value 824
 

Step 2blank.gif Specify the number of simultaneous logins allowed for any user, using the vpn-simultaneous-logins command in group-policy configuration mode.

hostname(config-group-policy)# vpn-simultaneous-logins integer
 

The default value is 3. The range is an integer in the range 0 through 2147483647. A group policy can inherit this value from another group policy. Enter 0 to disable login and prevent user access. The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-simultaneous-logins 4
hostname(config-group-policy)#
 
note.gif

Noteblank.gif While the maximum limit for the number of simultaneous logins is very large, allowing several simultaneous logins could compromise security and affect performance.


Stale AnyConnect, IPsec Client, or Clientless sessions (sessions that are terminated abnormally) might remain in the session database, even though a “new” session has been established with the same username.

If the value of vpn-simultaneous-logins is 1, and the same user logs in again after an abnormal termination, then the stale session is removed from the database and the new session is established. If, however, the existing session is still an active connection and the same user logs in again, perhaps from another PC, the first session is logged off and removed from the database, and the new session is established.

If the number of simultaneous logins is a value greater than 1, then, when you have reached that maximum number and try to log in again, the session with the longest idle time is logged off. If all current sessions have been idle an equally long time, then the oldest session is logged off. This action frees up a session and allows the new login.

Step 3blank.gif Configure the user timeout period by entering the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode:

hostname(config-group-policy)# vpn-idle-timeout {minutes | none}
hostname(config-group-policy)#
 

AnyConnect (SSL IPsec/IKEv2): Use the global WebVPN default-idle-timeout value (seconds) from the command: hostname(config-webvpn)# default-idle-timeout

The range for this value in the WebVPN default-idle-timeout command is 60-86400 seconds; the default Global WebVPN Idle timeout in seconds -- default is 1800 seconds (30 min).

Note A non-zero idle timeout value is required by ASA for all AnyConnect connections.

For a WebVPN user, the default-idle-timeout value is enforced only if vpn-idle-timeout none is set in the group policy/username attribute.

Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable timeout and allow for an unlimited idle period.The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-idle-timeout 15
hostname(config-group-policy)#
 

Step 4blank.gif Configure the the time at which an idle-timeout alert message is displayed to the user using the vpn-idle-timeout alert-interval {minutes | none} command. This alert message tells users how many minutes left they have until their VPN session is disconnected due to inactivity.

The following example shows how to set vpn-idle-timeout alert-interval so that users will be notified 20 minutes before their VPN session is disconnected due to inactivity. You can specify a range of 1-30 minutes.

hostname(config-webvpn)# vpn-idle-timeout alert-interval 20

The none parameter of the command indicates that users will not receive an alert.

The no form of the command: no vpn-idle-timeout alert-interval

indicates that the VPN idle timeout alert-interval attribute will be inherited from the Default Group Policy.

Step 5blank.gif Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command in group-policy configuration mode or in username configuration mode.

hostname(config-group-policy)# vpn-session-timeout {minutes | none}
hostname(config-group-policy)#
 

The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value. At the end of this period of time, the ASA terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. Specifying the none keyword permits an unlimited session timeout period and sets session timeout with a null value, which disallows a session timeout.

The following example shows how to set a VPN session timeout of 180 minutes for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-session-timeout 180
hostname(config-group-policy)#
 

Step 6blank.gif Configure the the time at which a session-timeout alert message is displayed to the user using the vpn-session-timeout alert-interval {minutes | none} command. This alert message tells users how many minutes left they have until their VPN session is automatically disconnected.

The following example shows how to set the vpn-session-timeout alert-interval so that users will be notified 20 minutes before their VPN session is disconnected. You can specify a range of 1-30 minutes.

hostname(config-webvpn)# vpn-session-timeout alert-interval 20

The none parameter of the command indicates that users will not receive an alert.

The no form of the command: no vpn-session-timeout alert-interval

indicates that the VPN session timeout alert-interval attribute will be inherited from the Default Group Policy.

Step 7blank.gif Choose one of the following options to specify an egress VLAN (also called “VLAN mapping”) for remote access or specify an ACL to filter the traffic:

    • Enter the following command in group-policy configuration mode to specify the egress VLAN for remote access VPN sessions assigned to this group policy or to a group policy that inherits this group policy:

hostname(config-group-policy)# [ no ] vlan { vlan_id | none }

no vlan removes the vlan_id from the group policy. The group policy inherits the vlan value from the default group policy.

vlan none removes the vlan_id from the group policy and disables VLAN mapping for this group policy. The group policy does not inherit the vlan value from the default group policy.

vlan_id in the command vlan vlan_id is the number of the VLAN, in decimal format, to assign to remote access VPN sessions that use this group policy. The VLAN must be configured on this ASA per the instructions in the “Configuring VLAN Subinterfaces and 802.1Q Trunking” section on page 6-30.

none disables the assignment of a VLAN to the remote access VPN sessions that match this group policy.

note.gif

Noteblank.gif The egress VLAN feature works for HTTP connections, but not for FTP and CIFS.


    • Specify the name of the ACL to apply to VPN session, using the vpn - filter command in group policy mode. (You can also configure this attribute in username mode, in which case the value configured under username supersedes the group-policy value.)
hostname(config-group-policy)# vpn-filter {value ACL name | none}
hostname(config-group-policy)#
 

You configure ACLs to permit or deny various types of traffic for this group policy. You then enter the vpn-filter command to apply those ACLs.

To remove the ACL, including a null value created by entering the vpn - filter none command, enter the no form of this command. The no option allows inheritance of a value from another group policy.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying an ACL name. The none keyword indicates that there is no access list and sets a null value, thereby disallowing an access list.

The following example shows how to set a filter that invokes an access list named acl_vpn for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-filter acl_vpn
hostname(config-group-policy)#

A vpn-filter command is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. An ACL that is used for a vpn-filter should NOT also be used for an interface access-group. When a vpn-filter command is applied to a group policy that governs Remote Access VPN client connections, the ACL should be configured with the client assigned IP addresses in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

When a vpn-filter command is applied to a group-policy that governs a LAN to LAN VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

Caution should be used when constructing the ACLs for use with the vpn-filter feature. The ACLs are constructed with the post-decrypted traffic in mind. However, ACLs are also applied to the traffic in the opposite direction. For this pre-encrypted traffic that is destined for the tunnel, the ACLs are constructed with the src_ip and dest_ip positions swapped.

In the following example, the vpn-filter is used with a Remote Access VPN client.
This example assumes that the client assigned IP address is 10.10.10.1/24 and the local network is 192.168.1.0/24.

The following ACE will allow the Remote Access VPN client to telnet to the local network:

hostname(config-group-policy)# access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23

 

The following ACE will allow the local network to telnet to the Remote Access client:

hostname(config-group-policy)# access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 eq 23 192.168.1.0 255.255.255.0
note.gif

Noteblank.gif Note: The ACE access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23 will allow the local network to initiate a connection to the Remote Access client on any TCP port if it uses a source port of 23. The ACE access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 eq 23 192.168.1.0 255.255.255.0 will allow the Remote Access client to initiate a connection to the local network on any TCP port if it uses a source port of 23.


In the next example, the vpn-filter is used with a LAN to LAN VPN connection. This example assumes that the remote network is 10.0.0.0/24 and the local network is 192.168.1.0/24.
The following ACE will allow remote network to telnet to the local network:

hostname(config-group-policy)# access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23

 

The following ACE will allow the local network to telnet to the remote network:

hostname(config-group-policy)# access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0
note.gif

Noteblank.gif Note: The ACE access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23 will allow the local network to initiate a connection to the remote network on any TCP port if it uses a source port of 23. The ACE access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0 will allow the remote network to initiate a connection to the local network on any TCP port if it uses a source port of 23.


 

Step 8blank.gif Specify the VPN tunnel type for this group policy.

vpn-tunnel-protocol { ikev1 | ikev2 | l2tp-ipsec | ssl-client | ssl-clientless}

The default is IPsec. To remove the attribute from the running configuration, enter the no form of this command.

The parameter values for this command follow:

    • ikev1—Negotiates an IPsec IKEv1 tunnel between two peers (the Cisco VPN Client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.
    • ikev2—Negotiates an IPsec IKEv2 tunnel between two peers (the AnyConnect Secure Mobility Client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.
    • l2tp-ipsec —Negotiates an IPsec tunnel for an L2TP connection
    • ssl-client—Negotiates an SSL tunnel using TLS or DTLS with the AnyConnect Secure Mobility Client.
    • ssl-clientless —Provides VPN services to remote users via an HTTPS-enabled web browser, and does not require a client.

Enter this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.

The following example shows how to configure the IPsec IKEv1 tunneling mode for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-tunnel-protocol ikev1
hostname(config-group-policy)#
 


 

Configuring Security Attributes

The attributes in this section specify certain security settings for the group:


Step 1blank.gif Specify whether to let users store their login passwords on the client system, using the password-storage command with the enable keyword in group-policy configuration mode. To disable password storage, use the password-storage command with the disable keyword.

hostname(config-group-policy)# password-storage {enable | disable}
hostname(config-group-policy)#
 

For security reasons, password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites.

To remove the password-storage attribute from the running configuration, enter the no form of this command:

hostname(config-group-policy)# no password-storage
hostname(config-group-policy)#
 

Specifying the no form enables inheritance of a value for password-storage from another group policy.

This command does not apply to interactive hardware client authentication or individual user authentication for hardware clients.

The following example shows how to enable password storage for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# password-storage enable
hostname(config-group-policy)#
 

Step 2blank.gif Specify whether to enable IP compression, which is disabled by default.

note.gif

Noteblank.gif IP compression is not supported for IPsec IKEv2 connections.


hostname(config-group-policy)# ip-comp {enable | disable}
hostname(config-group-policy)#
 

To enable LZS IP compression, enter the ip-comp command with the enable keyword in group-policy configuration mode. To disable IP compression, enter the ip-comp command with the disable keyword.

To remove the ip-comp attribute from the running configuration, enter the no form of this command. This enables inheritance of a value from another group policy.

hostname(config-group-policy)# no ip-comp
hostname(config-group-policy)#
 

Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.

caut.gif

Caution blank.gif Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the ASA. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.

Step 3blank.gif Specify whether to require that users reauthenticate on IKE re-key by using the re-xauth command with the enable keyword in group-policy configuration mode.

note.gif

Noteblank.gif IKE re-key is not supported for IKEv2 connections.


If you enable reauthentication on IKE re-key, the ASA prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE re-key occurs. Reauthentication provides additional security.

If the configured re-key interval is very short, users might find the repeated authorization requests inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the configured re-key interval, in monitoring mode, enter the show crypto ipsec sa command to view the security association lifetime in seconds and lifetime in kilobytes of data. To disable user reauthentication on IKE re-key, enter the disable keyword. Reauthentication on IKE re-key is disabled by default.

hostname(config-group-policy)# re-xauth {enable | disable}
hostname(config-group-policy)#
 

To enable inheritance of a value for reauthentication on IKE re-key from another group policy, remove the re-xauth attribute from the running configuration by entering the no form of this command.

hostname(config-group-policy)# no re-xauth
hostname(config-group-policy)#
 
note.gif

Noteblank.gif Reauthentication fails if there is no user at the other end of the connection.


Step 4blank.gif Specify whether to restrict remote users to access only through the connection profile, using the group-lock command in group-policy configuration mode.

hostname(config-group-policy)# group-lock {value tunnel-grp-name | none}
hostname(config-group-policy)# no group-lock
hostname(config-group-policy)#
 

The tunnel-grp-name variable specifies the name of an existing connection profile that the ASA requires for the user to connect. Group-lock restricts users by checking if the group configured in the VPN client is the same as the connection profile to which the user is assigned. If it is not, the ASA prevents the user from connecting. If you do not configure group-lock, the ASA authenticates users without regard to the assigned group. Group locking is disabled by default.

To remove the group-lock attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value from another group policy.

To disable group-lock, enter the group-lock command with the none keyword. The none keyword sets group-lock to a null value, thereby allowing no group-lock restriction. It also prevents inheriting a group-lock value from a default or specified group policy

Step 5blank.gif Specify whether to enable perfect forward secrecy. In IPsec negotiations, perfect forward secrecy ensures that each new cryptographic key is unrelated to any previous key. A group policy can inherit a value for perfect forward secrecy from another group policy. Perfect forward secrecy is disabled by default. To enable perfect forward secrecy, use the pfs command with the enable keyword in group-policy configuration mode.

hostname(config-group-policy)# pfs {enable | disable}
hostname(config-group-policy)#
 

To disable perfect forward secrecy, enter the pfs command with the disable keyword.

To remove the perfect forward secrecy attribute from the running configuration and prevent inheriting a value, enter the no form of this command.

hostname(config-group-policy)# no pfs
hostname(config-group-policy)#
 


 

Configuring the Banner Message

Specify the banner, or welcome message, if any, that you want to display. The default is no banner. The message that you specify is displayed on remote clients when they connect. To specify a banner, enter the banner command in group-policy configuration mode. The banner text can be up to 510 characters long. Enter the “\n” sequence to insert a carriage return.

note.gif

Noteblank.gif A carriage-return/line-feed included in the banner counts as two characters.


To delete a banner, enter the no form of this command. Be aware that using the no version of the command deletes all banners for the group policy.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a value for the banner string, as follows:

hostname(config-group-policy)# banner {value banner_string | none}
 

The following example shows how to create a banner for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# banner value Welcome to Cisco Systems 7.0.
 

Configuring IPsec-UDP Attributes for IKEv1

IPsec over UDP, sometimes called IPsec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a ASA that is running NAT. It is disabled by default. IPsec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The ASA exchanges configuration parameters with the client while negotiating SAs. Using IPsec over UDP may slightly degrade system performance.

To enable IPsec over UDP, configure the ipsec-udp command with the enable keyword in group-policy configuration mode, as follows:

hostname(config-group-policy)# ipsec-udp {enable | disable}
hostname(config-group-policy)# no ipsec-udp
 

To use IPsec over UDP, you must also configure the ipsec-udp-port command, as described below.

To disable IPsec over UDP, enter the disable keyword. To remove the IPsec over UDP attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for IPsec over UDP from another group policy.

The Cisco VPN client must also be configured to use IPsec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPsec over UDP.

The following example shows how to set IPsec over UDP for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp enable
 

If you enabled IPsec over UDP, you must also configure the ipsec-udp-port command in group-policy configuration mode. This command sets a UDP port number for IPsec over UDP. In IPsec negotiations, the ASA listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. The port numbers can range from 4001 through 49151. The default port value is 10000.

To disable the UDP port, enter the no form of this command. This enables inheritance of a value for the IPsec over UDP port from another group policy.

hostname(config-group-policy)# ipsec-udp-port port
 

The following example shows how to set an IPsec UDP port to port 4025 for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp-port 4025
 

Configuring Split-Tunneling Attributes

Split tunneling lets a remote-access client conditionally direct packets over a VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split-tunnel-policy command applies this split tunneling policy to a specific network.

note.gif

Noteblank.gif The ASA does not currently support split tunneling for IPv6 traffic. The ASA tunnels all IPv6 traffic through the VPN connection, even when the it has no IPv6 configuration.


Differences in Client Split Tunneling Behavior for Traffic within the Subnet

The AnyConnect client and the legacy Cisco VPN client (the IPsec/IKEv1 client) behave differently when passing traffic to sites within the same subnet as the IP address assigned by the ASA. With AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured, and to all sites that fall within the same subnet as the IP address assigned by the ASA. For example, if the IP address assigned by the ASA is 10.1.1.1 with a mask of 255.0.0.0, the endpoint device passes all traffic destined to 10.0.0.0/8, regardless of the split tunneling policy.

By contrast, the legacy Cisco VPN client only passes traffic to addresses specified by the split-tunneling policy, regardless of the subnet assigned to the client.

Therefore, use a netmask for the assigned IP address that properly references the expected local subnet.

Setting the Split-Tunneling Policy

Set the rules for tunneling traffic by specifying the split-tunneling policy:

hostname(config-group-policy)# split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}
hostname(config-group-policy)# no split-tunnel-policy
 

The default is to tunnel all traffic. To set a split tunneling policy, enter the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for split tunneling from another group policy.

The excludespecified keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.

The tunnelall keyword specifies that no traffic goes in the clear or to any other destination than the ASA. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option.

The tunnelspecified keyword tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user’s Internet service provider.

note.gif

Noteblank.gif Split tunneling is primarily a traffic management feature, not a security feature. For optimum security, we recommend that you do not enable split tunneling.


The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-policy tunnelspecified
 

Creating a Network List for Split-Tunneling

Create a network list for split tunneling using the split-tunnel-network-list command in group-policy configuration mode.

hostname(config-group-policy)# split-tunnel-network-list {value access-list_name | none}
hostname(config-group-policy)# no split-tunnel-network-list value [access-list_name]
 

Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The ASA makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network.

If you use extended ACLs, the source network determines the split-tunneling network. The destination network is ignored. In addition, because any is not an actual IP address or network address, do not use the term for the source in the ACL.

The value access-list name parameter identifies an access list that enumerates the networks to tunnel or not tunnel.

The none keyword indicates that there is no network list for split tunneling; the ASA tunnels all traffic. Specifying the none keyword sets a split tunneling network list with a null value, thereby disallowing split tunneling. It also prevents inheriting a default split tunneling network list from a default or specified group policy.

To delete a network list, enter the no form of this command. To delete all split tunneling network lists, enter the no split-tunnel-network-list command without arguments. This command deletes all configured network lists, including a null list if you created one by entering the none keyword.

When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, enter the split-tunnel-network-list none command.

The following example shows how to set a network list called FirstList for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-network-list FirstList
 

Configuring Domain Attributes for Tunneling

You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains.

Defining a Default Domain Name for Tunneled Packets

The ASA passes the default domain name to the IPsec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name for users of the group policy, enter the default-domain command in group-policy configuration mode. To delete a domain name, enter the no form of this command.

hostname(config-group-policy)# default-domain {value domain-name | none}
hostname(config-group-policy)# no default-domain [domain-name]
 

The value domain-name parameter identifies the default domain name for the group. To specify that there is no default domain name, enter the none keyword. This command sets a default domain name with a null value, which disallows a default domain name and prevents inheriting a default domain name from a default or specified group policy.

To delete all default domain names, enter the no default-domain command without arguments. This command deletes all configured default domain names, including a null list if you created one by entering the default-domain command with the none keyword. The no form allows inheriting a domain name.

The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# default-domain value FirstDomain
 

Defining a List of Domains for Split Tunneling

Enter a list of domains to be resolved through the split tunnel. Enter the split-dns command in group-policy configuration mode. To delete a list, enter the no form of this command.

When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, enter the split-dns command with the none keyword.

To delete all split tunneling domain lists, enter the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns command with the none keyword.

The parameter value domain-name provides a domain name that the ASA resolves through the split tunnel. The none keyword indicates that there is no split DNS list. It also sets a split DNS list with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a default or specified group policy. The syntax of the command is as follows:

hostname(config-group-policy)# split-dns {value domain-name1 [domain-name2... domain-nameN] | none}
hostname(config-group-policy)# no split-dns [domain-name domain-name2 domain-nameN]
 

Enter a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.). If the default domain name is to be resolved through the tunnel, you must explicitly include that name in this list.

The following example shows how to configure the domains Domain1, Domain2, Domain3, and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4
 

Configuring DHCP Intercept

A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the ASA limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.

DHCP Intercept lets Microsoft Windows XP clients use split-tunneling with the ASA. The ASA replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to Windows XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.

The intercept-dhcp command enables or disables DHCP intercept. The syntax of this command is as follows:

[ no ] intercept-dhcp

hostname(config-group-policy)# intercept-dhcp netmask {enable | disable}
hostname(config-group-policy)#
 

The netmask variable provides the subnet mask for the tunnel IP address. The no version of the command removes the DHCP intercept from the configuration.

The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# intercept-dhcp enable
 

Configuring Attributes for VPN Hardware Clients

The commands in this section enable or disable secure unit authentication and user authentication, and set a user authentication timeout value for VPN hardware clients. They also let you allow Cisco IP phones and LEAP packets to bypass individual user authentication and allow hardware clients using Network Extension Mode to connect.

Configuring Secure Unit Authentication

Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password. Secure unit authentication is disabled by default.

note.gif

Noteblank.gif With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.


Secure unit authentication requires that you have an authentication server group configured for the connection profile the hardware client(s) use. If you require secure unit authentication on the primary ASA, be sure to configure it on any backup servers as well.

Specify whether to enable secure unit authentication by entering the secure-unit-authentication command with the enable keyword in group-policy configuration mode.

hostname(config-group-policy)# secure-unit-authentication {enable | disable}
hostname(config-group-policy)# no secure-unit-authentication
 

To disable secure unit authentication, enter the disable keyword. To remove the secure unit authentication attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value for secure unit authentication from another group policy.

The following example shows how to enable secure unit authentication for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# secure-unit-authentication enable
 

Configuring User Authentication

User authentication is disabled by default. When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure.

Specify whether to enable user authentication by entering the user-authentication command with the enable keyword in group-policy configuration mode.

hostname(config-group-policy)# user-authentication {enable | disable}
hostname(config-group-policy)# no user-authentication
 

To disable user authentication, enter the disable keyword. To remove the user authentication attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value for user authentication from another group policy.

If you require user authentication on the primary ASA, be sure to configure it on any backup servers as well.

The following example shows how to enable user authentication for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# user-authentication enable
 

Configuring an Idle Timeout

Set an idle timeout for individual users behind hardware clients by entering the user-authentication-idle-timeout command in group-policy configuration mode. If there is no communication activity by a user behind a hardware client in the idle timeout period, the ASA terminates the client’s access:

hostname(config-group-policy)# user-authentication-idle-timeout {minutes | none}
hostname(config-group-policy)# no user-authentication-idle-timeout
 
note.gif

Noteblank.gif This timer terminates only the client’s access through the VPN tunnel, not the VPN tunnel itself.

The idle timeout indicated in response to the show uauth command is always the idle timeout value of the user who authenticated the tunnel on the Cisco Easy VPN remote device.


The minutes parameter specifies the number of minutes in the idle timeout period. The minimum is 1 minute, the default is 30 minutes, and the maximum is 35791394 minutes.

To delete the idle timeout value, enter the no form of this command. This option allows inheritance of an idle timeout value from another group policy.

To prevent inheriting an idle timeout value, enter the user-authentication-idle-timeout command with the none keyword. This command sets the idle timeout with a null value, which disallows an idle timeout and prevents inheriting an user authentication idle timeout value from a default or specified group policy.

The following example shows how to set an idle timeout value of 45 minutes for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# user-authentication-idle-timeout 45
 

Configuring IP Phone Bypass

You can allow Cisco IP phones to bypass individual user authentication behind a hardware client. To enable IP Phone Bypass, enter the ip-phone-bypass command with the enable keyword in group-policy configuration mode. IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. IP Phone Bypass is disabled by default. If enabled, secure unit authentication remains in effect.

To disable IP Phone Bypass, enter the disable keyword. To remove the IP phone Bypass attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value for IP Phone Bypass from another group policy:

hostname(config-group-policy)# ip-phone-bypass {enable | disable}
hostname(config-group-policy)# no ip-phone-bypass
 
note.gif

Noteblank.gif You must configure mac-exempt to exempt the clients from authentication. Refer to the “Configuring Device Pass-Through” section on page 71-8 for more information.


Configuring LEAP Bypass

When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication. LEAP Bypass is disabled by default.

To allow LEAP packets from Cisco wireless access points to bypass individual users authentication, enter the leap-bypass command with the enable keyword in group-policy configuration mode. To disable LEAP Bypass, enter the disable keyword. To remove the LEAP Bypass attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value for LEAP Bypass from another group policy:

hostname(config-group-policy)# leap-bypass {enable | disable}
hostname(config-group-policy)# no leap-bypass
 
note.gif

Noteblank.gif IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP (Lightweight Extensible Authentication Protocol) implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.

Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.


This feature does not work as intended if you enable interactive hardware client authentication.

caut.gif

Caution blank.gif There might be security risks to your network in allowing any unauthenticated traffic to traverse the tunnel.

The following example shows how to set LEAP Bypass for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# leap-bypass enable
 

Enabling Network Extension Mode

Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

Enable network extension mode for hardware clients by entering the nem command with the enable keyword in group-policy configuration mode:

hostname(config-group-policy)# nem {enable | disable}
hostname(config-group-policy)# no nem
 

To disable NEM, enter the disable keyword. To remove the NEM attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value from another group policy.

The following example shows how to set NEM for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# nem enable
 

Configuring Backup Server Attributes

Configure backup servers if you plan on using them. IPsec backup servers let a VPN client connect to the central site when the primary ASA is unavailable.When you configure backup servers, the ASA pushes the server list to the client as the IPsec tunnel is established. Backup servers do not exist until you configure them, either on the client or on the primary ASA.

Configure backup servers either on the client or on the primary ASA. If you configure backup servers on the ASA, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.

note.gif

Noteblank.gif If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS and WINS information from the hardware client via DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant delays can occur.


To configure backup servers, enter the backup-servers command in group-policy configuration mode:

hostname(config-group-policy)# backup-servers {server1 server2... server10 | clear-client-config | keep-client-config}
 

To remove a backup server, enter the no form of this command with the backup server specified. To remove the backup-servers attribute from the running configuration and enable inheritance of a value for backup-servers from another group policy, enter the no form of this command without arguments.

hostname(config-group-policy)# no backup-servers [server1 server2... server10 | clear-client-config | keep-client-config]
 

The clear-client-config keyword specifies that the client uses no backup servers. The ASA pushes a null server list.

The keep-client-config keyword specifies that the ASA sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default.

The server1 server 2.... server10 parameter list is a space-delimited, priority-ordered list of servers for the VPN client to use when the primary ASA is unavailable. This list identifies servers by IP address or hostname. The list can be 500 characters long, and it can contain up to10 entries.

The following example shows how to configure backup servers with IP addresses 10.10.10.1 and 192.168.10.14, for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# backup-servers 10.10.10.1 192.168.10.14
 

Configuring Browser Client Parameters

The following commands configure the proxy server parameters for a client.


Step 1blank.gif Configure a browser proxy server and port for a client device by entering the msie-proxy server command in group-policy configuration mode:

hostname(config-group-policy)# msie-proxy server {value server[:port] | none}
hostname(config-group-policy)#
 

The default value is none. To remove the attribute from the configuration, use the no form of the command.

hostname(config-group-policy)# no msie-proxy server
hostname(config-group-policy)#
 

The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long.

The following example shows how to configure the IP address 192.168.10.1 as a Microsoft Internet Explorer proxy server, using port 880, for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# msie-proxy server value 192.168.21.1:880
hostname(config-group-policy)#
 

Step 2blank.gif Configure the browser proxy actions (“methods”) for a client device by entering the msie-proxy method command in group-policy configuration mode.

hostname(config-group-policy)# msie-proxy method [auto-detect | no-modify | no-proxy | use-server]
hostname(config-group-policy)#
 

The default value is use-server. To remove the attribute from the configuration, use the no form of the command.

hostname(config-group-policy)# no msie-proxy method [auto-detect | no-modify | no-proxy | use-server]
hostname(config-group-policy)#
 

The available methods are as follows:

    • auto-detect —Enables the use of automatic proxy server detection in the browser for the client device.
    • no-modify —Leaves the HTTP browser proxy server setting in the browser unchanged for this client device.
    • no-proxy— Disables the HTTP proxy setting in the browser for the client device.
    • use-server— Sets the HTTP proxy server setting in the browser to use the value configured in the msie-proxy server command.

The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long.

The following example shows how to configure auto-detect as the browser proxy setting for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# msie-proxy method auto-detect
hostname(config-group-policy)#
 

The following example configures the proxy setting for the group policy named FirstGroup to use the server QAserver, port 1001 as the server for the client device:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# msie-proxy server QAserver:port 1001
hostname(config-group-policy)# msie-proxy method use-server
hostname(config-group-policy)#
 

Step 3blank.gif Configure browser proxy exception list settings for a local bypass on the client device by entering the msie-proxy except-list command in group-policy configuration mode. These addresses are not accessed by a proxy server. This list corresponds to the Exceptions box in the Proxy Settings dialog box.

hostname(config-group-policy)# msie-proxy except-list {value server[:port] | none}
hostname(config-group-policy)#
 

To remove the attribute from the configuration, use the no form of the command.

hostname(config-group-policy)# no msie-proxy except-list
hostname(config-group-policy)#
 
    • value server:port— Specifies the IP address or name of an MSIE server and port that is applied for this client device. The port number is optional.
    • none— Indicates that there is no IP address/hostname or port and prevents inheriting an exception list.

By default, msie-proxy except-list is disabled.

The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long.

The following example shows how to set a browser proxy exception list, consisting of the server at IP address 192.168.20.1, using port 880, for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# msie-proxy except-list value 192.168.20.1:880
hostname(config-group-policy)#
 

Step 4blank.gif Enable or disable browser proxy local-bypass settings for a client device by entering the msie-proxy local-bypass command in group-policy configuration mode.

hostname(config-group-policy)# msie-proxy local-bypass {enable | disable}
hostname(config-group-policy)#
 

To remove the attribute from the configuration, use the no form of the command.

hostname(config-group-policy)# no msie-proxy local-bypass {enable | disable}
hostname(config-group-policy)#
 

By default, msie-proxy local-bypass is disabled.

The following example shows how to enable browser proxy local-bypass for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# msie-proxy local-bypass enable
hostname(config-group-policy)#
 


 

Configuring Network Admission Control Parameters

The group-policy NAC commands in this section all have default values. Unless you have a good reason for changing them, accept the default values for these parameters.

The security appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate the posture of remote hosts. Posture validation involves the checking of a remote host for compliancy with safety requirements before the assignment of a network access policy. An Access Control Server must be configured for Network Admission Control before you configure NAC on the security appliance.

The Access Control Server downloads the posture token, an informational text string configurable on the ACS, to the security appliance to aid in system monitoring, reporting, debugging, and logging. A typical posture token is Healthy, Checkup, Quarantine, Infected, or Unknown. Following posture validation or clientless authentication, the ACS downloads the access policy for the session to the security appliance.

The following parameters let you configure Network Admission Control settings for the default group policy or an alternative group policy.


Step 1blank.gif ( Optional) Configure the status query timer period. The security appliance starts the status query timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query. Enter the number of seconds in the range 30 through 1800. The default setting is 300.

To specify the interval between each successful posture validation in a Network Admission Control session and the next query for changes in the host posture, use the nac-sq-period command in group-policy configuration mode:

hostname(config-group-policy)# nac-sq-period seconds
hostname(config-group-policy)#
 

To inherit the value of the status query timer from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command:

hostname(config-group-policy)# no nac-sq-period [seconds]
hostname(config-group-policy)#
 

The following example changes the value of the status query timer to 1800 seconds:

hostname(config-group-policy)# nac-sq-period 1800
hostname(config-group-policy)
 

The following example inherits the value of the status query timer from the default group policy:

hostname(config-group-policy)# no nac-sq-period
hostname(config-group-policy)#
 

Step 2blank.gif ( Optional) Configure the NAC revalidation period. The security appliance starts the revalidation timer after each successful posture validation. The expiration of this timer triggers the next unconditional posture validation. The security appliance maintains posture validation during revalidation. The default group policy becomes effective if the Access Control Server is unavailable during posture validation or revalidation. Enter the interval in seconds between each successful posture validation. The range is 300 through 86400. The default setting is 36000.

To specify the interval between each successful posture validation in a Network Admission Control session, use the nac-reval-period command in group-policy configuration mode:

hostname(config-group-policy)# nac-reval-period seconds
hostname(config-group-policy)#
 

To inherit the value of the Revalidation Timer from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command:

hostname(config-group-policy)# no nac-reval-period [seconds]
hostname(config-group-policy)#
 

The following example changes the revalidation timer to 86400 seconds:

hostname(config-group-policy)# nac-reval-period 86400
hostname(config-group-policy)
 

The following example inherits the value of the revalidation timer from the default group policy:

hostname(config-group-policy)# no nac-reval-period
hostname(config-group-policy)#
 

Step 3blank.gif ( Optional) Configure the default ACL for NAC. The security appliance applies the security policy associated with the selected ACL if posture validation fails. Specify none or an extended ACL. The default setting is none. If the setting is none and posture validation fails, the security appliance applies the default group policy.

To specify the ACL to be used as the default ACL for Network Admission Control sessions that fail posture validation, use the nac-default-acl command in group-policy configuration mode:

hostname(config-group-policy)# nac-default-acl {acl-name | none}
hostname(config-group-policy)#
 

To inherit the ACL from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command:

hostname(config-group-policy)# no nac-default-acl [acl-name | none]
hostname(config-group-policy)#
 

The elements of this command are as follows:

    • acl-name— Specifies the name of the posture validation server group, as configured on the ASA using the aaa-server host command. The name must match the server-tag variable specified in that command.
    • none— Disables inheritance of the ACL from the default group policy and does not apply an ACL to NAC sessions that fail posture validation.

Because NAC is disabled by default, VPN traffic traversing the ASA is not subject to the NAC Default ACL until NAC is enabled.

The following example identifies acl-1 as the ACL to be applied when posture validation fails:

hostname(config-group-policy)# nac-default-acl acl-1
hostname(config-group-policy)
 

The following example inherits the ACL from the default group policy:

hostname(config-group-policy)# no nac-default-acl
hostname(config-group-policy)
 

The following example disables inheritance of the ACL from the default group policy and does not apply an ACL to NAC sessions that fail posture validation:

hostname(config-group-policy)# nac-default-acl none
hostname(config-group-policy)#
 

Step 4blank.gif Configure NAC exemptions for VPN. By default, the exemption list is empty.The default value of the filter attribute is none. Enter the vpn-nac-exempt once for each operating system (and ACL) to be matched to exempt remote hosts from posture validation.

To add an entry to the list of remote computer types that are exempt from posture validation, use the vpn-nac-exempt command in group-policy configuration mode.

hostname(config-group-policy)# vpn-nac-exempt os "os name" [filter {acl-name | none}] [disable]
hostname(config-group-policy)#
 

To disable inheritance and specify that all hosts are subject to posture validation, use the none keyword immediately following vpn-nac-exempt.

hostname(config-group-policy)# vpn-nac-exempt none
hostname(config-group-policy)#
 

To remove an entry from the exemption list, use the no form of this command and name the operating system (and ACL) in the entry to be removed.

hostname(config-group-policy)# no vpn-nac-exempt [os "os name"] [filter {acl-name | none}] [disable]
hostname(config-group-policy)#
 

To remove all entries from the exemption list associated with this group policy and inherit the list from the default group policy, use the no form of this command without specifying additional keywords.

hostname(config-group-policy)# no vpn-nac-exempt
hostname(config-group-policy)#
 

The syntax elements for these commands are as follows:

    • acl-name— Name of the ACL present in the ASA configuration.
    • disable—Disables the entry in the exemption list without removing it from the list.
    • filter —( Optional) filter to apply an ACL to filter the traffic if the computer matches the os name.
    • none— When entered immediately after vpn-nac-exempt, this keyword disables inheritance and specifies that all hosts will be subject to posture validation.When entered immediately after filter, this keyword indicates that the entry does not specify an ACL.
    • OS— Exempts an operating system from posture validation.
    • os name— Operating system name. Quotation marks are required only if the name includes a space (for example, “Windows XP”).

The following example adds all hosts running Windows XP to the list of computers that are exempt from posture validation:

hostname(config-group-policy)# vpn-nac-exempt os "Windows XP"
hostname(config-group-policy)
 

The following example exempts all hosts running Windows 98 that match an ACE in the ACL named acl-1:

hostname(config-group-policy)# vpn-nac-exempt os "Windows 98" filter acl-1
hostname(config-group-policy)
 

The following example adds the same entry to the exemption list, but disables it:

hostname(config-group-policy)# vpn-nac-exempt os "Windows 98" filter acl-1 disable
hostname(config-group-policy)
 

The following example removes the same entry from the exemption list, regardless of whether it is disabled:

hostname(config-group-policy)# no vpn-nac-exempt os "Windows 98" filter acl-1
hostname(config-group-policy)
 

The following example disables inheritance and specifies that all hosts will be subject to posture validation:

hostname(config-group-policy)# no vpn-nac-exempt none
hostname(config-group-policy)
 

The following example removes all entries from the exemption list:

hostname(config-group-policy)# no vpn-nac-exempt
hostname(config-group-policy)
 

Step 5blank.gif Enable or disable Network Admission Control by entering the following command:

hostname(config-group-policy)# nac {enable | disable}
hostname(config-group-policy)#
 

To inherit the NAC setting from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command:

hostname(config-group-policy)# no nac [enable | disable]
hostname(config-group-policy)#
 

By default, NAC is disabled. Enabling NAC requires posture validation for remote access. If the remote computer passes the validation checks, the ACS server downloads the access policy for the ASA to enforce. NAC is disabled by default.

An Access Control Server must be present on the network.

The following example enables NAC for the group policy:

hostname(config-group-policy)# nac enable
hostname(config-group-policy)#
 


 

Configuring Address Pools

Configure a list of address pools for allocating addresses to remote clients by entering the address-pools command in group-policy attributes configuration mode:

hostname(config-group-policy)# address-pools value address_pool1 [...address_pool6]
hostname(config-group-policy)#
 

The address-pools settings in this command override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation.

The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.

To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command:

hostname(config-group-policy)# no address-pools value address_pool1 [...address_pool6]
hostname(config-group-policy)#
 

The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy:

hostname(config-group-policy)# address-pools none
hostname(config-group-policy)#
 

The command no address pools none removes the address-pools none command from the configuration, restoring the default value, which is to allow inheritance.

hostname(config-group-policy)# no address-pools none

hostname(config-group-policy)#

The syntax elements of this command are as follows:

  • address_pool— Specifies the name of the address pool configured with the ip local pool command. You can specify up to 6 local address pools.
  • none— Specifies that no address pools are configured and disables inheritance from other sources of group policy.
  • value— Specifies a list of up to 6 address pools from which to assign addresses.

The following example entered in config-general configuration mode, configures pool 1 and pool20 as lists of address pools to use for allocating addresses to remote clients for GroupPolicy1:

hostname(config)# ip local pool pool 192.168.10.1-192.168.10.100 mask 255.255.0.0
hostname(config)# ip local pool pool20 192.168.20.1-192.168.20.200 mask 255.255.0.0
hostname(config)# group-policy GroupPolicy1 attributes
hostname(config-group-policy)# address-pools value pool1 pool20
hostname(config-group-policy)#
 

Configuring Firewall Policies

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user’s PC, and thereby the corporate network, from intrusions by way of the Internet or the user’s local LAN. Remote users connecting to the ASA with the VPN client can choose the appropriate firewall option.

Set personal firewall policies that the ASA pushes to the VPN client during IKE tunnel negotiation by using the client-firewall command in group-policy configuration mode. To delete a firewall policy, enter the no form of this command.

To delete all firewall policies, enter the no client-firewall command without arguments. This command deletes all configured firewall policies, including a null policy if you created one by entering the client-firewall command with the none keyword.

When there are no firewall policies, users inherit any that exist in the default or other group policy. To prevent users from inheriting such firewall policies, enter the client-firewall command with the none keyword.

The Add or Edit Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified.

note.gif

Noteblank.gif Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.


In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the ASA. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic “are you there?” messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the ASA.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the ASA, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The ASA pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.

Supporting a Zone Labs Integrity Server

This section introduces the Zone Labs Integrity server, also called the Check Point Integrity server, and presents an example procedure for configuring the ASA to support the Zone Labs Integrity server. The Integrity server is a central management station for configuring and enforcing security policies on remote PCs. If a remote PC does not conform to the security policy dictated by the Integrity server, it is not granted access to the private network protected by the Integrity server and ASA.

This section includes the following topics:

Overview of the Integrity Server and ASA Interaction

The VPN client software and the Integrity client software are co-resident on a remote PC. The following steps summarize the actions of the remote PC, ASA, and Integrity server in the establishment of a session between the PC and the enterprise private network:

1.blank.gif The VPN client software (residing on the same remote PC as the Integrity client software) connects to the ASA and tells the ASA what type of firewall client it is.

2.blank.gif After the ASA approves the client firewall type, the ASA passes Integrity server address information back to the Integrity client.

3.blank.gif With the ASA acting as a proxy, the Integrity client establishes a restricted connection with the Integrity server. A restricted connection is only between the Integrity client and the Integrity server.

4.blank.gif The Integrity server determines if the Integrity client is in compliance with the mandated security policies. If the Integrity client is in compliance with security policies, the Integrity server instructs the ASA to open the connection and provide the Integrity client with connection details.

5.blank.gif On the remote PC, the VPN client passes connection details to the Integrity client and signals that policy enforcement should begin immediately and the Integrity client can enter the private network.

6.blank.gif After the VPN connection is established, the Integrity server continues to monitor the state of the Integrity client using client heartbeat messages.

note.gif

Noteblank.gif The current release of the ASA supports one Integrity server at a time, even though the user interfaces support the configuration of up to five Integrity servers. If the active Integrity server fails, configure another one on the ASA and then reestablish the VPN client session.


Configuring Integrity Server Support

This section describes an example procedure for configuring the ASA to support the Zone Labs Integrity servers. The procedure involves configuring address, port, connection fail timeout and fail states, and SSL certificate parameters.

To configure the Integrity server, perform the following steps:

 

Command
Purpose

Step 1

zonelabs-Integrity server -address { hostname1 | ip-address1 }
 

hostname(config)# zonelabs-Integrity server-address 10.0.0.5

Configures an Integrity server using the IP address 10.0.0.5.

Step 2

zonelabs-integrity port port - number
 

hostname(config)# zonelabs-integrity port 300

Specifies port 300 (the default port is 5054).

Step 3

zonelabs-integrity interface interface

 

hostname(config)# zonelabs-integrity interface inside

Specifies the inside interface for communications with the Integrity server.

Step 4

zonelabs-integrity fail-timeout timeout
 

hostname(config)# zonelabs-integrity fail-timeout 12

Ensures that the ASA waits 12 seconds for a response from either the active or standby Integrity servers before declaring the Integrity server as failed and closing the VPN client connections.

Note If the connection between the ASA and the Integrity server fails, the VPN client connections remain open by default so that the enterprise VPN is not disrupted by the failure of an Integrity server. However, you may want to close the VPN connections if the Zone Labs Integrity server fails.

Step 5

zonelabs-integrity fail-close
 

hostname(config)# zonelabs-integrity fail-close

Configures the ASA so that connections to VPN clients close when the connection between the ASA and the Zone Labs Integrity server fails.

Step 6

zonelabs-integrity fail-open
 

hostname(config)# zonelabs-integrity fail-open

Returns the configured VPN client connection fail state to the default and ensures that the client connections remain open.

Step 7

zonelabs-integrity ssl-certificate-port cert-port-number
 

hostname(config)# zonelabs-integrity ssl-certificate-port 300

Specifies that the Integrity server connects to port 300 (the default is port 80) on the ASA to request the server SSL certificate.

Step 8

zonelabs-integrity ssl-client-authentication {enable | disable}
 

hostname(config)# zonelabs-integrity ssl-client-authentication enable

While the server SSL certificate is always authenticated, also specifies that the client SSL certificate of the Integrity server be authenticated.

To set the firewall client type to the Zone Labs Integrity type, enter the following command:

 

Command
Purpose
client-firewall {opt | req} zonelabs-integrity
 

hostname(config)# client-firewall req zonelabs-integrity

For more information, see the “Configuring Firewall Policies” section. The command arguments that specify firewall policies are not used when the firewall type is zonelabs-integrity, because the Integrity server determines these policies.

Setting Client Firewall Parameters

Enter the following commands to set the appropriate client firewall parameters. You can configure only one instance of each command. Table 67-4 lists the syntax elements of these commands. For more information, see the “Configuring Firewall Policies” section.

Cisco Integrated Firewall

hostname(config-group-policy)# client-firewall {opt | req} cisco-integrated acl-in ACL acl-out ACL
 

Cisco Security Agent

hostname(config-group-policy)# client-firewall {opt | req} cisco-security-agent
 

No Firewall

hostname(config-group-policy)# client-firewall none
 

Custom Firewall

hostname(config-group-policy)# client-firewall {opt | req} custom vendor-id num product-id num policy {AYT | CPP acl-in ACL acl-out ACL} [description string]
 

Zone Labs Firewalls

hostname(config-group-policy)# client-firewall {opt | req} zonelabs-integrity
note.gif

Noteblank.gif When the firewall type is zonelabs-integrity, do not include arguments. The Zone Labs Integrity Server determines the policies.


hostname(config-group-policy)# client-firewall {opt | req} zonelabs-zonealarm policy {AYT | CPP acl-in ACL acl-out ACL}
 
hostname(config-group-policy)# client-firewall {opt | req} zonelabs-zonealarmorpro policy {AYT | CPP acl-in ACL acl-out ACL}
 
client-firewall {opt | req} zonelabs-zonealarmpro policy {AYT | CPP acl-in ACL acl-out ACL}
 

Sygate Personal Firewalls

hostname(config-group-policy)# client-firewall {opt | req} sygate-personal
 
hostname(config-group-policy)# client-firewall {opt | req} sygate-personal-pro
 
hostname(config-group-policy)# client-firewall {opt | req} sygate-security-agent
 

Network Ice, Black Ice Firewall:

hostname(config-group-policy)# client-firewall {opt | req} networkice-blackice
 

 

Table 67-4 client-firewall Command Keywords and Variables

Parameter
Description

acl-in ACL

Provides the policy the client uses for inbound traffic.

acl-out ACL

Provides the policy the client uses for outbound traffic.

AYT

Specifies that the client PC firewall application controls the firewall policy. The ASA checks to make sure that the firewall is running. It asks, “Are You There?” If there is no response, the ASA tears down the tunnel.

cisco-integrated

Specifies Cisco Integrated firewall type.

cisco-security-agent

Specifies Cisco Intrusion Prevention Security Agent firewall type.

CPP

Specifies Policy Pushed as source of the VPN client firewall policy.

custom

Specifies Custom firewall type.

description string

Describes the firewall.

networkice-blackice

Specifies Network ICE Black ICE firewall type.

none

Indicates that there is no client firewall policy. Sets a firewall policy with a null value, thereby disallowing a firewall policy. Prevents inheriting a firewall policy from a default or specified group policy.

opt

Indicates an optional firewall type.

product-id

Identifies the firewall product.

req

Indicates a required firewall type.

sygate-personal

Specifies the Sygate Personal firewall type.

sygate-personal-pro

Specifies Sygate Personal Pro firewall type.

sygate-security-agent

Specifies Sygate Security Agent firewall type.

vendor-id

Identifies the firewall vendor.

zonelabs-integrity

Specifies Zone Labs Integrity Server firewall type.

zonelabs-zonealarm

Specifies Zone Labs Zone Alarm firewall type.

zonelabs-zonealarmorpro policy

Specifies Zone Labs Zone Alarm or Pro firewall type.

zonelabs-zonealarmpro policy

Specifies Zone Labs Zone Alarm Pro firewall type.

The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention Security Agent for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-firewall req cisco-security-agent
hostname(config-group-policy)#
 

Configuring Client Access Rules

Configure rules that limit the remote access client types and versions that can connect via IPsec through the ASA by using the client-access-rule command in group-policy configuration mode. Construct rules according to these guidelines:

  • If you do not define any rules, the ASA permits all connection types.
  • When a client matches none of the rules, the ASA denies the connection. If you define a deny rule, you must also define at least one permit rule; otherwise, the ASA denies all connections.
  • For both software and hardware clients, type and version must exactly match their appearance in the show vpn-sessiondb remote display.
  • The * character is a wildcard, which you can enter multiple times in each rule. For example, client-access rul e 3 deny type * version 3.* creates a priority 3 client access rule that denies all client types running release versions 3.x software.
  • You can construct a maximum of 25 rules per group policy.
  • There is a limit of 255 characters for an entire set of rules.
  • You can enter n/a for clients that do not send client type and/or version.

To delete a rule, enter the no form of this command. This command is equivalent to the following command:

hostname(config-group-policy)# client-access-rule 1 deny type "Cisco VPN Client" version 4.0
 

To delete all rules, enter the no client-access-rule command without arguments. This deletes all configured rules, including a null rule if you created one by issuing the client-access-rule command with the none keyword.

By default, there are no access rules. When there are no client access rules, users inherit any rules that exist in the default group policy.

To prevent users from inheriting client access rules, enter the client-access-rule command with the none keyword. The result of this command is that all client types and versions can connect.

hostname(config-group-policy)# client-access rule priority {permit | deny} type type version {version | none}
 
hostname(config-group-policy)# no client-access rule [priority {permit | deny} type type version version]
 

Table 67-5 explains the meaning of the keywords and parameters in these commands.

 

Table 67-5 client-access rule Command Keywords and Variables

Parameter
Description

deny

Denies connections for devices of a particular type and/or version.

none

Allows no client access rules. Sets client-access-rule to a null value, thereby allowing no restriction. Prevents inheriting a value from a default or specified group policy.

permit

Permits connections for devices of a particular type and/or version.

priority

Determines the priority of the rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the ASA ignores it.

type type

Identifies device types via free-form strings, for example VPN 3002. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can enter the * character as a wildcard.

version version

Identifies the device version via free-form strings, for example 7.0. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can enter the * character as a wildcard.

The following example shows how to create client access rules for the group policy named FirstGroup. These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT clients:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-access-rule 1 deny type WinNT version *
hostname(config-group-policy)# client-access-rule 2 permit “Cisco VPN Client” version 4.*
 
note.gif

Noteblank.gif The “type” field is a free-form string that allows any value, but that value must match the fixed value that the client sends to the ASA at connect time.


Configuring Group-Policy Attributes for Clientless SSL VPN Sessions

Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser. There is no need for either a software or hardware client. Clientless SSL VPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. Clientless SSL VPN uses SSL and its successor, TLS1, to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The ASA recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. By default, clientless SSL VPN is disabled.

You can customize a configuration of clientless SSL VPN for specific internal group policies.

note.gif

Noteblank.gif The webvpn mode that you enter from global configuration mode lets you configure global settings for clientless SSL VPN sessions. The webvpn mode described in this section, which you enter from group-policy configuration mode, lets you customize a configuration of group policies specifically for clientless SSL VPN sessions.


In group-policy webvpn configuration mode, you can specify whether to inherit or customize the following parameters, each of which is described in the subsequent sections:

  • customizations
  • html-content-filter
  • homepage
  • filter
  • url-list
  • port-forward
  • port-forward-name
  • sso server (single-signon server)
  • auto-signon
  • deny message
  • AnyConnect Secure Mobility Client
  • keep-alive ignore
  • HTTP compression

In many instances, you define the webvpn attributes as part of configuring clientless SSL VPN, then you apply those definitions to specific groups when you configure the group-policy webvpn attributes. Enter group-policy webvpn configuration mode by using the webvpn command in group-policy configuration mode. Webvpn commands for group policies define access to files, URLs and TCP applications over clientless SSL VPN sessions. They also identify ACLs and types of traffic to filter. Clientless SSL VPN is disabled by default. See the description of Chapter 74, “Configuring Clientless SSL VPN” for more information about configuring the attributes for clientless SSL VPN sessions.

To remove all commands entered in group-policy webvpn configuration mode, enter the no form of this command. These webvpn commands apply to the username or group policy from which you configure them.

hostname(config-group-policy)# webvpn
hostname(config-group-policy)# no webvpn
 

The following example shows how to enter group-policy webvpn configuration mode for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)#
 

Applying Customization

Customizations determine the appearance of the windows that the user sees upon login. You configure the customization parameters as part of configuring clientless SSL VPN. To apply a previously defined web-page customization to change the look-and-feel of the web page that the user sees at login, enter the customization command in group-policy webvpn configuration mode:

hostname(config-group-webvpn)# customization customization_name
hostname(config-group-webvpn)#
 

For example, to use the customization named blueborder, enter the following command:

hostname(config-group-webvpn)# customization blueborder
hostname(config-group-webvpn)#
 

You configure the customization itself by entering the customization command in webvpn mode.

The following example shows a command sequence that first establishes a customization named 123 that defines a password prompt. The example then defines a group policy named testpolicy and uses the customization command to specify the use of the customization named 123 for clientless SSL VPN sessions:

hostname(config)# webvpn
hostname(config-webvpn)# customization 123
hostname(config-webvpn-custom)# password-prompt Enter password
hostname(config-webvpn)# exit
hostname(config)# group-policy testpolicy nopassword
hostname(config)# group-policy testpolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# customization value 123
hostname(config-group-webvpn)#
 

Specifying a “Deny” Message

You can specify the message delivered to a remote user who logs into a clientless SSL VPN session successfully, but has no VPN privileges, by entering the deny-message command in group-policy webvpn configuration mode:

hostname(config-group-webvpn)# deny-message value "message"
hostname(config-group-webvpn)# no deny-message value "message"
hostname(config-group-webvpn)# deny-message none
 

The no deny-message value command removes the message string, so that the remote user does not receive a message.

The no deny-message none command removes the attribute from the connection profile policy configuration. The policy inherits the attribute value.

The message can be up to 491 alphanumeric characters long, including special characters, spaces, and punctuation, but not counting the enclosing quotation marks. The text appears on the remote user’s browser upon login. When typing the string in the deny-message value command, continue typing even if the command wraps.

The default deny message is: “Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.”

The first command in the following example creates an internal group policy named group2. The subsequent commands modify the attributes, including the webvpn deny message associated with that policy.

hostname(config)# group-policy group2 internal
hostname(config)# group-policy group2 attributes
hostname(config-group)# webvpn
hostname(config-group-webvpn)# deny-message value "Your login credentials are OK. However, you have not been granted rights to use the VPN features. Contact your administrator for more information."
hostname(config-group-webvpn)

Configuring Group-Policy Filter Attributes for Clientless SSL VPN Sessions

Specify whether to filter Java, ActiveX, images, scripts, and cookies from clientless SSL VPN sessions for this group policy by using the html-content-filter command in webvpn mode. HTML filtering is disabled by default.

To remove a content filter, enter the no form of this command. To remove all content filters, including a null value created by issuing the html-content-filter command with the none keyword, enter the no form of this command without arguments. The no option allows inheritance of a value from another group policy. To prevent inheriting an html content filter, enter the html-content-filter command with the none keyword.

Using the command a second time overrides the previous setting.

hostname(config-group-webvpn)# html-content-filter {java | images | scripts | cookies | none}
 
hostname(config-group-webvpn)# no html-content-filter [java | images | scripts | cookies | none]
 

Table 67-6 describes the meaning of the keywords used in this command.

 

Table 67-6 filter Command Keywords

Keyword
Meaning

cookies

Removes cookies from images, providing limited ad filtering and privacy.

images

Removes references to images (removes <IMG> tags).

java

Removes references to Java and ActiveX (removes <EMBED>, <APPLET>, and <OBJECT> tags).

none

Indicates that there is no filtering. Sets a null value, thereby disallowing filtering. Prevents inheriting filtering values.

scripts

Removes references to scripting (removes <SCRIPT> tags).

The following example shows how to set filtering of JAVA and ActiveX, cookies, and images for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# html-content-filter java cookies images
hostname(config-group-webvpn)#

Specifying the User Home Page

Specify a URL for the web page that displays when a user in this group logs in by using the homepage command in group-policy webvpn configuration mode. There is no default home page.

To remove a configured home page, including a null value created by issuing the homepage none command, enter the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a home page, enter the homepage none command.

The none keyword indicates that there is no home page for clientless SSL VPN sessions. It sets a null value, thereby disallowing a home page and prevents inheriting an home page.

The url-string variable following the keyword value provides a URL for the home page. The string must begin with either http:// or https://.

hostname(config-group-webvpn)# homepage {value url-string | none}
hostname(config-group-webvpn)# no homepage
hostname(config-group-webvpn)#

Configuring Auto-Signon

The auto-signon command is a single sign-on method for users of clientless SSL VPN sessions. It passes the login credentials (username and password) to internal servers for authentication using NTLM authentication, basic authentication, or both. Multiple auto-signon commands can be entered and are processed according to the input order (early commands take precedence).

You can use the auto-signon feature in three modes: webvpn configuration, webvpn group configuration, or webvpn username configuration mode. The typical precedence behavior applies where username supersedes group, and group supersedes global. The mode you choose depends upon the desired scope of authentication.

To disable auto-signon for a particular user to a particular server, use the no form of the command with the original specification of IP block or URI. To disable authentication to all servers, use the no form without arguments. The no option allows inheritance of a value from the group policy.

The following example, entered in group-policy webvpn configuration mode, configures auto-signon for the user named anyuser, using basic authentication, to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255:

The following example commands configure auto-signon for users of clientless SSL VPN sessions, using either basic or NTLM authentication, to servers defined by the URI mask https://*.example.com/*:

hostname(config)# group-policy ExamplePolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# auto-signon allow uri https://*.example.com/* auth-type all
hostname(config-group-webvpn)#
 

The following example commands configure auto-signon for users of clientless SSL VPN sessions, using either basic or NTLM authentication, to the server with the IP address 10.1.1.0, using subnet mask 255.255.255.0:

hostname(config)# group-policy ExamplePolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type all
hostname(config-group-webvpn)#
 

Specifying the Access List for Clientless SSL VPN Sessions

Specify the name of the access list to use for clientless SSL VPN sessions for this group policy or username by using the filter command in webvpn mode. Clientless SSL VPN access lists do not apply until you enter the filter command to specify them.

To remove the access list, including a null value created by issuing the filter none command, enter the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting filter values, enter the filter value none command.

Access lists for clientless SSL VPN sessions do not apply until you enter the filter command to specify them.

You configure ACLs to permit or deny various types of traffic for this group policy. You then enter the filter command to apply those ACLs for clientless SSL VPN traffic.

hostname(config-group-webvpn)# filter {value ACLname | none}
hostname(config-group-webvpn)# no filter
 

The none keyword indicates that there is no webvpntype access list. It sets a null value, thereby disallowing an access list and prevents inheriting an access list from another group policy.

The ACLname string following the keyword value provides the name of the previously configured access list.

note.gif

Noteblank.gif Clientless SSL VPN sessions do not use ACLs defined in the vpn-filter command.


The following example shows how to set a filter that invokes an access list named acl_in for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# filter acl_in
hostname(config-group-webvpn)#

Applying a URL List

You can specify a list of URLs to appear on the clientless SSL VPN home page for a group policy. First, you must create one or more named lists by entering the url-list command in global configuration mode. To apply a list of servers and URLs for clientless SSL VPN sessions to a particular group policy, allowing access to the URLs in a list for a specific group policy, use the name of the list or lists you create there with the url-list command in group-policy webvpn configuration mode. There is no default URL list.

To remove a list, including a null value created by using the url-list none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a URL list, use the url-list none command. Using the command a second time overrides the previous setting:

hostname(config-group-webvpn)# url-list {value name | none} [index]
hostname(config-group-webvpn)# no url-list
 

Table 67-7 shows the url-list command parameters and their meanings.

 

Table 67-7 url-list Command Keywords and Variables

Parameter
Meaning

index

Indicates the display priority on the home page.

none

Sets a null value for url lists. Prevents inheriting a list from a default or specified group policy.

value name

Specifies the name of a previously configured list of urls. To configure such a list, use the url-list command in global configuration mode.

The following example sets a URL list called FirstGroupURLs for the group policy named FirstGroup and specifies that this should be the first URL list displayed on the homepage:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# url-list value FirstGroupURLs 1
hostname(config-group-webvpn)#
 

Enabling ActiveX Relay for a Group Policy

ActiveX Relay lets a user who has established a Clientless SSL VPN session use the browser to launch Microsoft Office applications. The applications use the session to download and upload Microsoft Office documents. The ActiveX relay remains in force until the Clientless SSL VPN session closes.

To enable or disable ActiveX controls on Clientless SSL VPN sessions, enter the following command in group-policy webvpn configuration mode:

activex-relay { enable | disable }

To inherit the activex-relay command from the default group policy, enter the following command:

no activex-relay

The following commands enable ActiveX controls on clientless SSL VPN sessions associated with a given group policy:

hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# activex-relay enable
hostname(config-group-webvpn)
 

Enabling Application Access on Clientless SSL VPN Sessions for a Group Policy

To enable application access for this group policy, enter the port-forward command in group-policy webvpn configuration mode. Port forwarding is disabled by default.

Before you can enter the port-forward command in group-policy webvpn configuration mode to enable application access, you must define a list of applications that you want users to be able to use in a clientless SSL VPN session. Enter the port-forward command in global configuration mode to define this list.

To remove the port forwarding attribute from the group-policy configuration, including a null value created by issuing the port-forward none command, enter the no form of this command. The no option allows inheritance of a list from another group policy. To prevent inheriting a port forwarding list, enter the port-forward command with the none keyword. The none keyword indicates that there is no filtering. It sets a null value, thereby disallowing a filtering, and prevents inheriting filtering values.

The syntax of the command is as follows:

hostname(config-group-webvpn)# port-forward {value listname | none}
hostname(config-group-webvpn)# no port-forward
 

The listname string following the keyword value identifies the list of applications users of clientless SSL VPN sessions can access. Enter the port-forward command in webvpn configuration mode to define the list.

Using the command a second time overrides the previous setting.

The following example shows how to set a port-forwarding list called ports1 for the internal group policy named FirstGroup:

hostname(config)# group-policy FirstGroup internal attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# port-forward value ports1
hostname(config-group-webvpn)#

Configuring the Port-Forwarding Display Name

Configure the display name that identifies TCP port forwarding to end users for a particular user or group policy by using the port-forward-name command in group-policy webvpn configuration mode. To delete the display name, including a null value created by using the port-forward-name none command, enter the no form of the command. The no option restores the default name, Application Access. To prevent a display name, enter the port-forward none command. The syntax of the command is as follows:

hostname(config-group-webvpn)# port-forward-name {value name | none}
hostname(config-group-webvpn)# no port-forward-name
 

The following example shows how to set the name, Remote Access TCP Applications, for the internal group policy named FirstGroup :

hostname(config)# group-policy FirstGroup internal attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# port-forward-name value Remote Access TCP Applications
hostname(config-group-webvpn)#

Configuring the Maximum Object Size to Ignore for Updating the Session Timer

Network devices exchange short keepalive messages to ensure that the virtual circuit between them is still active. The length of these messages can vary. The keep-alive-ignore command lets you tell the ASA to consider all messages that are less than or equal to the specified size as keepalive messages and not as traffic when updating the session timer. The range is 0 through 900 KB. The default is 4 KB.

To specify the upper limit of the HTTP/HTTPS traffic, per transaction, to ignore, use the keep-alive-ignore command in group-policy attributes webvpn configuration mode:

hostname(config-group-webvpn)# keep-alive-ignore size
hostname(config-group-webvpn)#
 
The no form of the command removes this specification from the configuration:
hostname(config-group-webvpn)# no keep-alive-ignore
hostname(config-group-webvpn)#
 

The following example sets the maximum size of objects to ignore as 5 KB:

hostname(config-group-webvpn)# keep-alive-ignore 5
hostname(config-group-webvpn)#
 

Specifying HTTP Compression

Enable compression of http data over a clientless SSL VPN session for a specific group or user by entering the http-comp command in the group policy webvpn mode.

hostname(config-group-webvpn)# http-comp {gzip | none}
hostname(config-group-webvpn)#
 

To remove the command from the configuration and cause the value to be inherited, use the no form of the command:

hostname(config-group-webvpn)# no http-comp {gzip | none}
hostname(config-group-webvpn)#
 

The syntax of this command is as follows:

  • gzip— Specifies compression is enabled for the group or user. This is the default value.
  • none— Specifies compression is disabled for the group or user.

For clientless SSL VPN sessions, the compression command configured from global configuration mode overrides the http-comp command configured in group policy and username webvpn modes.

In the following example, compression is disabled for the group-policy sales:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# http-comp none
hostname(config-group-webvpn)#

Specifying the SSO Server

Single sign-on support, available only for clientless SSL VPN sessions, lets users access different secure services on different servers without reentering a username and password more than once. The sso-server value command, when entered in group-policy-webvpn mode, lets you assign an SSO server to a group policy.

To assign an SSO server to a group policy, use the sso-server value command in group-policy-webvpn configuration mode. This command requires that your configuration include CA SiteMinder command.

hostname(config-group-webvpn)# sso-server value server_name
hostname(config-group-webvpn)#
 

To remove the assignment and use the default policy, use the no form of this command. To prevent inheriting the default policy, use the sso-server none command.

hostname(config-group-webvpn)# sso-server {value server_name | none}
hostname(config-group-webvpn)# [no] sso-server value server_name
 

The default policy assigned to the SSO server is DfltGrpPolicy.

The following example creates the group policy “my-sso-grp-pol” and assigns it to the SSO server named “example”:

hostname(config)# group-policy my-sso-grp-pol internal
hostname(config)# group-policy my-sso-grp-pol attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# sso-server value example
hostname(config-group-webvpn)#
 

Configuring Group-Policy Attributes for AnyConnect Secure Mobility Client Connections

After enabling AnyConnect client connections as described in Chapter 75, “Configuring AnyConnect VPN Client Connections”, you can enable or require AnyConnect features for a group policy. Follow these steps in group-policy webvpn configuration mode:


Step 1blank.gif Enter group policy webvpn configuration mode. For example:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
 

Step 2blank.gif To disable the permanent installation of the AnyConnect client on the endpoint computer, use the anyconnect keep-installer command with the none keyword. For example:

hostname(config-group-webvpn)# anyconnect keep-installer none
hostname(config-group-webvpn)#
 

The default is that permanent installation of the client is enabled. The client remains installed on the endpoint at the end of the AnyConnect session.

Step 3blank.gif To enable compression of HTTP data over an AnyConnect SSL connection for the group policy, enter the anyconnect ssl compression command. By default, compression is set to none (disabled). To enable compression, use the deflate keyword. For example:

hostname(config-group-webvpn)# anyconnect compression deflate
hostname(config-group-webvpn)#
 

Step 4blank.gif To enable dead peer detection (DPD) on the ASA and to set the frequency with which either the AnyConnect client or the ASA performs DPD, use the anyconnect dpd-interval command:

anyconnect dpd-interval {[ gateway { seconds | none }] | [ client { seconds | none }]}

By default, both the ASA and the AnyConnect client perform DPD every 30 seconds.

The gateway refers to the ASA. You can specify the frequency with which the ASA performs the DPD test as a range of from 30 to 3600 seconds (1 hour). Specifying none disables the DPD testing that the ASA performs. A value of 300 is recommended.

The client refers to the AnyConnect client. You can specify the frequency with which the client performs the DPD test as a range of from 30 to 3600 seconds (1 hour). Specifying none disables the DPD testing that the client performs. A value of 30 is recommended.

The following example configures the DPD frequency performed by the ASA (gateway) to 300 seconds, and the DPD frequency performed by the client to 30 seconds:

hostname(config-group-webvpn)# anyconnect dpd-interval gateway 300
hostname(config-group-webvpn)# anyconnect dpd-interval client 30
hostname(config-group-webvpn)#
 

Step 5blank.gif You can ensure that an AnyConnect connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle by adjusting the frequency of keepalive messages using the anyconnect ssl keepalive comand:

anyconnect ssl keepalive {none | seconds }

Adjusting keepalives also ensures the AnyConnect client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.

The following example configures the security appliance to enable the AnyConnect client to send keepalive messages, with a frequency of 300 seconds (5 minutes):

hostname(config-group-webvpn)# anyconnect ssl keepalive 300
hostname(config-group-webvpn)#
 

Step 6blank.gif To enable the AnyConnect client to perform a re-key on an SSL session, use the anyconnect ssl rekey command:

anyconnect ssl rekey { method { ssl | new-tunnel } | time minutes | none }}

By default, re-key is disabled.

Specifying the method as new-tunnel specifies that the AnyConnect client establishes a new tunnel during SSL re-key. Specifying the method as none disables re-key. Specifying the method as ssl specifies that SSL renegotiation takes place during re-key. Instead of specifying the method, you can specify the time; that is, the number of minutes from the start of the session until the re-key takes place, from 1 through 10080 (1 week).

The following example configures the AnyConnect client to renegotiate with SSL during re-key and configures the re-key to occur 30 minutes after the session begins:

hostname(config-group-webvpn)# anyconnect ssl rekey method ssl
hostname(config-group-webvpn)# anyconnect ssl rekey time 30
hostname(config-group-webvpn)#
 


 

Configuring User Attributes

This section describes user attributes and how to configure them. It includes the following sections:

By default, users inherit all user attributes from the assigned group policy. The ASA also lets you assign individual attributes at the user level, overriding values in the group policy that applies to that user. For example, you can specify a group policy giving all users access during business hours, but give a specific user 24-hour access.

Viewing the Username Configuration

To display the configuration for all usernames, including default values inherited from the group policy, enter the all keyword with the show running-config username command, as follows:

hostname# show running-config all username
hostname#
 

This displays the encrypted password and the privilege level. for all users, or, if you supply a username, for that specific user. If you omit the all keyword, only explicitly configured values appear in this list. The following example displays the output of this command for the user named testuser:

hostname# show running-config all username testuser
username testuser password 12RsxXQnphyr/I9Z encrypted privilege 15
 

Configuring Attributes for Specific Users

To configure specific users, you assign a password (or no password) and attributes to a user using the username command, which enters username mode. Any attributes that you do not specify are inherited from the group policy.

The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication. To add a user to the ASA database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the clear configure username command without appending a username.

Setting a User Password and Privilege Level

Enter the username command to assign a password and a privilege level for a user. You can enter the nopassword keyword to specify that this user does not require a password. If you do specify a password, you can specify whether that password is stored in an encrypted form.

The optional privilege keyword lets you set a privilege level for this user. Privilege levels range from 0 (the lowest) through 15. System administrators generally have the highest privilege level. The default level is 2.

hostname(config)# username name {nopassword | password password [encrypted]} [privilege priv_level]}
 
hostname(config)# no username [name]
 

Table 67-8 describes the meaning of the keywords and variables used in this command.

Table 67-8 username Command Keywords and Variables

 

Keyword/Variable
Meaning

encrypted

Indicates that the password is encrypted.

name

Provides the name of the user.

nopassword

Indicates that this user needs no password.

password password

Indicates that this user has a password, and provides the password.

privilege priv_level

Sets a privilege level for this user. The range is from 0 to 15, with lower numbers having less ability to use commands and administer the ASA. The default privilege level is 2. The typical privilege level for a system administrator is 15.

By default, VPN users that you add with this command have no attributes or group policy association. You must explicitly configure all values.

The following example shows how to configure a user named anyuser with an encrypted password of pw_12345678 and a privilege level of 12:

hostname(config)# username anyuser password pw_12345678 encrypted privilege 12
hostname(config)#

Configuring User Attributes

After configuring the user’s password (if any) and privilege level, you set the other attributes. These can be in any order. To remove any attribute-value pair, enter the no form of the command.

Enter username mode by entering the username command with the attributes keyword:

hostname(config)# username name attributes
hostname(config-username)#
 

The prompt changes to indicate the new mode. You can now configure the attributes.

Configuring VPN User Attributes

The VPN user attributes set values specific to VPN connections, as described in the following sections.

Configuring Inheritance

You can let users inherit from the group policy the values of attributes that you have not configured at the username level. To specify the name of the group policy from which this user inherits attributes, enter the vpn-group-policy command. By default, VPN users have no group-policy association:

hostname(config-username)# vpn-group-policy group-policy-name
hostname(config-username)# no vpn-group-policy group-policy-name
 

For an attribute that is available in username mode, you can override the value of an attribute in a group policy for a particular user by configuring it in username mode.

The following example shows how to configure a user named anyuser to use attributes from the group policy named FirstGroup:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-group-policy FirstGroup
hostname(config-username)#
 

Configuring Access Hours

Associate the hours that this user is allowed to access the system by specifying the name of a configured time-range policy:

To remove the attribute from the running configuration, enter the no form of this command. This option allows inheritance of a time-range value from another group policy. To prevent inheriting a value, enter the vpn-access-hours none command. The default is unrestricted access.

hostname(config-username)# vpn-access-hours value {time-range | none}
hostname(config-username)# vpn-access-hours value none
hostname(config)#
 

The following example shows how to associate the user named anyuser with a time-range policy called 824:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-access-hours 824
hostname(config-username)#
 

Configuring Maximum Simultaneous Logins

Specify the maximum number of simultaneous logins allowed for this user. The range is 0 through 2147483647. The default is 3 simultaneous logins. To remove the attribute from the running configuration, enter the no form of this command. Enter 0 to disable login and prevent user access.

hostname(config-username)# vpn-simultaneous-logins integer
hostname(config-username)# no vpn-simultaneous-logins
hostname(config-username)# vpn-session-timeout alert-interval none
 
note.gif

Noteblank.gif While the maximum limit for the number of simultaneous logins is very large, allowing several could compromise security and affect performance.


The following example shows how to allow a maximum of 4 simultaneous logins for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-simultaneous-logins 4
hostname(config-username)#
 

Configuring the Idle Timeout

Specify the idle timeout period in minutes, or enter none to disable the idle timeout. If there is no communication activity on the connection in this period, the ASA terminates the connection. You can optionally set the alert interval, or leave the default of one minute.

The range is 1 through 35791394 minutes. The default is 30 minutes. To allow an unlimited timeout period, and thus prevent inheriting a timeout value, enter the vpn-idle-timeout command with the none keyword. To remove the attribute from the running configuration, enter the no form of this command.

hostname(config-username)# vpn-idle-timeout {minutes | none} alert-interval {minutes}
hostname(config-username)# no vpn-idle-timeout alert-interval
hostname(config-username)# vpn-idle-timeout alert-interval none
 
 

The following example shows how to set a VPN idle timeout of 15 minutes and alert interval of 3 minutes for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-idle-timeout 30 alert-interval 3
hostname(config-username)#
 

Configuring the Maximum Connect Time

Specify the maximum user connection time in minutes, or enter none to allow unlimited connection time and prevent inheriting a value for this attribute. At the end of this period of time, the ASA terminates the connection. You can optionally set the alert interval, or leave the default of one minute.

The range is 1 through 35791394 minutes. There is no default timeout. To allow an unlimited timeout period, and thus prevent inheriting a timeout value, enter the vpn-session-timeout command with the none keyword. To remove the attribute from the running configuration, enter the no form of this command.

hostname(config-username)# vpn-session-timeout {minutes | none} alert-interval {minutes}
hostname(config-username)# no vpn-session-timeout alert-interval
hostname(config-username)#
 

The following example shows how to set a VPN session timeout of 180 minutes for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-session-timeout 180 alert-interval {minutes}
hostname(config-username)#
 

Applying an ACL Filter

Specify the name of a previously-configured, user-specific ACL to use as a filter for VPN connections. To disallow an access list and prevent inheriting an access list from the group policy, enter the vpn-filter command with the none keyword. To remove the ACL, including a null value created by issuing the vpn - filter none command, enter the no form of this command. The no option allows inheritance of a value from the group policy. There are no default behaviors or values for this command.

You configure ACLs to permit or deny various types of traffic for this user. You then use the vpn-filter command to apply those ACLs.

hostname(config-username)# vpn-filter {value ACL_name | none}
hostname(config-username)# no vpn-filter
hostname(config-username)#
 
note.gif

Noteblank.gif Clientless SSL VPN does not use ACLs defined in the vpn-filter command.


The following example shows how to set a filter that invokes an access list named acl_vpn for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-filter value acl_vpn
hostname(config-username)#
 

Specifying the IP Address and Netmask

Specify the IP address and netmask to assign to a particular user. To remove the IP address, enter the no form of this command.

hostname(config-username)# vpn-framed-ip-address {ip_address}
hostname(config-username)# no vpn-framed-ip-address
hostname(config-username)
 

The following example shows how to set an IP address of 10.92.166.7 for a user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-framed-ip-address 10.92.166.7
hostname(config-username)
 

Specify the network mask to use with the IP address specified in the previous step. If you used the no vpn-framed-ip-address command, do not specify a network mask. To remove the subnet mask, enter the no form of this command. There is no default behavior or value.

hostname(config-username)# vpn-framed-ip-netmask {netmask}
hostname(config-username)# no vpn-framed-ip-netmask
hostname(config-username)
 

The following example shows how to set a subnet mask of 255.255.255. 254 for a user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-framed-ip-netmask 255.255.255.254
hostname(config-username)
 

Specifying the Tunnel Protocol

Specify the VPN tunnel types (IPsec or clientless SSL VPN) that this user can use. The default is taken from the default group policy, the default for which is IPsec. To remove the attribute from the running configuration, enter the no form of this command.

hostname(config-username)# vpn-tunnel-protocol {webvpn | IPsec}
hostname(config-username)# no vpn-tunnel-protocol [webvpn | IPsec]
hostname(config-username)
 

The parameter values for this command are as follows:

  • IPsec— Negotiates an IPsec tunnel between two peers (a remote access client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.
  • webvpn— Provides clientless SSL VPN access to remote users via an HTTPS-enabled web browser, and does not require a client

Enter this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.

The following example shows how to configure clientless SSL VPN and IPsec tunneling modes for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-tunnel-protocol webvpn
hostname(config-username)# vpn-tunnel-protocol IPsec
hostname(config-username)
 

Restricting Remote User Access

Configure the group-lock attribute with the value keyword to restrict remote users to access only through the specified, preexisting connection profile. Group-lock restricts users by checking whether the group configured in the VPN client is the same as the connection profile to which the user is assigned. If it is not, the ASA prevents the user from connecting. If you do not configure group-lock, the ASA authenticates users without regard to the assigned group.

To remove the group-lock attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value from the group policy. To disable group-lock, and to prevent inheriting a group-lock value from a default or specified group policy, enter the group-lock command with the none keyword.

hostname(config-username)# group-lock {value tunnel-grp-name | none}
hostname(config-username)# no group-lock
hostname(config-username)
 

The following example shows how to set group lock for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# group-lock value tunnel-group-name
hostname(config-username)
 

Enabling Password Storage for Software Client Users

Specify whether to let users store their login passwords on the client system. Password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites. To disable password storage, enter the password-storage command with the disable keyword. To remove the password-storage attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for password-storage from the group policy.

hostname(config-username)# password-storage {enable | disable}
hostname(config-username)# no password-storage
hostname(config-username)
 

This command has no bearing on interactive hardware client authentication or individual user authentication for hardware clients.

The following example shows how to enable password storage for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# password-storage enable
hostname(config-username)
 

Configuring Clientless SSL VPN Access for Specific Users

The following sections describe how to customize a configuration for specific users of clientless SSL VPN sessions. Enter username webvpn configuration mode by using the webvpn command in username configuration mode. Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser. There is no need for either a software or hardware client. Clientless SSL VPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. Clientless SSL VPN uses SSL and its successor, TLS1, to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The ASA recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.

The username webvpn configuration mode commands define access to files, URLs and TCP applications over clientless SSL VPN sessions. They also identify ACLs and types of traffic to filter. Clientless SSL VPN is disabled by default. These webvpn commands apply only to the username from which you configure them. Notice that the prompt changes, indicating that you are now in username webvpn configuration mode.

hostname(config-username)# webvpn
hostname(config-username-webvpn)#
 

To remove all commands entered in username webvpn configuration mode, use the no form of this command:

hostname(config-username)# no webvpn
hostname(config-username)#
 

You do not need to configure clientless SSL VPN to use e-mail proxies.

note.gif

Noteblank.gif The webvpn mode that you enter from global configuration mode lets you configure global settings for clientless SSL VPN sessions. The username webvpn configuration mode described in this section, which you enter from username mode, lets you customize the configuration of specific users specifically for clientless SSL VPN sessions.


In username webvpn configuration mode, you can customize the following parameters, each of which is described in the subsequent steps:

  • customizations
  • deny message
  • html-content-filter
  • homepage
  • filter
  • url-list
  • port-forward
  • port-forward-name
  • sso server (single-signon server)
  • auto-signon
  • AnyConnect Secure Mobility Client
  • keep-alive ignore
  • HTTP compression

The following example shows how to enter username webvpn configuration mode for the username anyuser attributes:

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)#
 

Specifying the Content/Objects to Filter from the HTML

To filter Java, ActiveX, images, scripts, and cookies for clientless SSL VPN sessions for this user, enter the html-content-filter command in username webvpn configuration mode. To remove a content filter, enter the no form of this command. To remove all content filters, including a null value created by issuing the html-content-filter none command, enter the no form of this command without arguments. The no option allows inheritance of a value from the group policy. To prevent inheriting an HTML content filter, enter the html-content-filter none command. HTML filtering is disabled by default.

Using the command a second time overrides the previous setting.

hostname(config-username-webvpn)# html-content-filter {java | images | scripts | cookies | none}
 
hostname(config-username-webvpn)# no html-content-filter [java | images | scripts | cookies | none]
 

The keywords used in this command are as follows:

  • cookies— Removes cookies from images, providing limited ad filtering and privacy.
  • images— Removes references to images (removes <IMG> tags).
  • java— Removes references to Java and ActiveX (removes <EMBED>, <APPLET>, and <OBJECT> tags.
  • none— Indicates that there is no filtering. Sets a null value, thereby disallowing filtering. Prevents inheriting filtering values.
  • scripts —Removes references to scripting (removes <SCRIPT> tags).

 

The following example shows how to set filtering of JAVA and ActiveX, cookies, and images for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# html-content-filter java cookies images
hostname(config-username-webvpn)#
 

Specifying the User Home Page

To specify a URL for the web page that displays when this user logs into clientless SSL VPN session, enter the homepage command in username webvpn configuration mode. To remove a configured home page, including a null value created by issuing the homepage none command, enter the no form of this command. The no option allows inheritance of a value from the group policy. To prevent inheriting a home page, enter the homepage none command.

The none keyword indicates that there is no clientless SSL VPN home page. It sets a null value, thereby disallowing a home page and prevents inheriting a home page.

The url-string variable following the keyword value provides a URL for the home page. The string must begin with either http:// or https://.

There is no default home page.

hostname(config-username-webvpn)# homepage {value url-string | none}
hostname(config-username-webvpn)# no homepage
hostname(config-username-webvpn)#
 

The following example shows how to specify www.example.com as the home page for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# homepage value www.example.com
hostname(config-username-webvpn)#
 

Applying Customization

Customizations determine the appearance of the windows that the user sees upon login. You configure the customization parameters as part of configuring clientless SSL VPN. To apply a previously defined web-page customization to change the look-and-feel of the web page that the user sees at login, enter the customization command in username webvpn configuration mode:

hostname(config-username-webvpn)# customization {none | value customization_name}
hostname(config-username-webvpn)#
 

For example, to use the customization named blueborder, enter the following command:

hostname(config-username-webvpn)# customization value blueborder
hostname(config-username-webvpn)#
 

You configure the customization itself by entering the customization command in webvpn mode.

The following example shows a command sequence that first establishes a customization named 123 that defines a password prompt. The example then defines a tunnel-group named test and uses the customization command to specify the use of the customization named 123:

hostname(config)# webvpn
hostname(config-webvpn)# customization 123
hostname(config-webvpn-custom)# password-prompt Enter password
hostname(config-webvpn)# exit
hostname(config)# username testuser nopassword
hostname(config)# username testuser attributes
hostname(config-username-webvpn)# webvpn
hostname(config-username-webvpn)# customization value 123
hostname(config-username-webvpn)#
 

Specifying a “Deny” Message

You can specify the message delivered to a remote user who logs into clientless SSL VPN session successfully, but has no VPN privileges by entering the deny-message command in username webvpn configuration mode:

hostname(config-username-webvpn)# deny-message value "message"
hostname(config-username-webvpn)# no deny-message value "message"
hostname(config-username-webvpn)# deny-message none
 

The no deny-message value command removes the message string, so that the remote user does not receive a message.

The no deny-message none command removes the attribute from the connection profile policy configuration. The policy inherits the attribute value.

The message can be up to 491 alphanumeric characters long, including special characters, spaces, and punctuation, but not counting the enclosing quotation marks. The text appears on the remote user’s browser upon login. When typing the string in the deny-message value command, continue typing even if the command wraps.

The default deny message is: “Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.”

The first command in the following example enters username mode and configures the attributes for the user named anyuser. The subsequent commands enter username webvpn configuration mode and modify the deny message associated with that user.

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# deny-message value "Your login credentials are OK. However, you have not been granted rights to use the VPN features. Contact your administrator for more information."
hostname(config-username-webvpn)
 

Specifying the Access List for Clientless SSL VPN Sessions

To specify the name of the access list to use for clientless SSL VPN sessions for this user, enter the filter command in username webvpn configuration mode. To remove the access list, including a null value created by issuing the filter none command, enter the no form of this command. The no option allows inheritance of a value from the group policy. To prevent inheriting filter values, enter the filter value none command.

Clientless SSL VPN access lists do not apply until you enter the filter command to specify them.

You configure ACLs to permit or deny various types of traffic for this user. You then enter the filter command to apply those ACLs for clientless SSL VPN traffic.

hostname(config-username-webvpn)# filter {value ACLname | none}
hostname(config-username-webvpn)# no filter
hostname(config-username-webvpn)#
 

The none keyword indicates that there is no webvpntype access list. It sets a null value, thereby disallowing an access list and prevents inheriting an access list from another group policy.

The ACLname string following the keyword value provides the name of the previously configured access list.

note.gif

Noteblank.gif Clientless SSL VPN does not use ACLs defined in the vpn-filter command.


The following example shows how to set a filter that invokes an access list named acl_in for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# filter acl_in
hostname(config-username-webvpn)#
 

Applying a URL List

You can specify a list of URLs to appear on the home page for a user who has established a clientless SSL VPN session. First, you must create one or more named lists by entering the url-list command in global configuration mode. To apply a list of servers and URLs to a particular user of clientless SSL VPN, enter the url-list command in username webvpn configuration mode.

To remove a list, including a null value created by using the url-list none command, enter the no form of this command. The no option allows inheritance of a value from the group policy. To prevent inheriting a url list, enter the url-list none command.

hostname(config-username-webvpn)# url-list {listname displayname url | none}
hostname(config-username-webvpn)# no url-list
 

The keywords and variables used in this command are as follows:

  • displayname— Specifies a name for the URL. This name appears on the portal page in the clientless SSL VPN session.
  • listname— Identifies a name by which to group URLs.
  • none —Indicates that there is no list of URLs. Sets a null value, thereby disallowing a URL list. Prevents inheriting URL list values.
  • url— Specifies a URL that users of clientless SSL VPN can access.

There is no default URL list.

Using the command a second time overrides the previous setting.

The following example shows how to set a URL list called AnyuserURLs for the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# url-list value AnyuserURLs
hostname(config-username-webvpn)#
 

Enabling ActiveX Relay for a User

ActiveX Relay lets a user who has established a Clientless SSL VPN session use the browser to launch Microsoft Office applications. The applications use the session to download and upload Microsoft Office documents. The ActiveX relay remains in force until the Clientless SSL VPN session closes.

To enable or disable ActiveX controls on Clientless SSL VPN sessions, enter the following command in username webvpn configuration mode:

activex-relay { enable | disable }

To inherit the activex-relay command from the group policy, enter the following command:

no activex-relay

The following commands enable ActiveX controls on Clientless SSL VPN sessions associated with a given username:

hostname(config-username-policy)# webvpn
hostname(config-username-webvpn)# activex-relay enable
hostname(config-username-webvpn)
 

Enabling Application Access for Clientless SSL VPN Sessions

To enable application access for this user, enter the port-forward command in username webvpn configuration mode. Port forwarding is disabled by default.

To remove the port forwarding attribute from the configuration, including a null value created by issuing the port-forward none command, enter the no form of this command. The no option allows inheritance of a list from the group policy. To disallow filtering and prevent inheriting a port forwarding list, enter the port-forward command with the none keyword.

hostname(config-username-webvpn)# port-forward {value listname | none}
hostname(config-username-webvpn)# no port-forward
hostname(config-username-webvpn)#
 

The listname string following the keyword value identifies the list of applications users of clientless SSL VPN can access. Enter the port-forward command in configuration mode to define the list.

Using the command a second time overrides the previous setting.

Before you can enter the port-forward command in username webvpn configuration mode to enable application access, you must define a list of applications that you want users to be able to use in a clientless SSL VPN session. Enter the port-forward command in global configuration mode to define this list.

The following example shows how to configure a portforwarding list called ports1:

hostname(config-group-policy)# webvpn
hostname(config-username-webvpn)# port-forward value ports1
hostname(config-username-webvpn)#
 

Configuring the Port-Forwarding Display Name

Configure the display name that identifies TCP port forwarding to end users for a particular user by using the port-forward-name command in username webvpn configuration mode. To delete the display name, including a null value created by using the port-forward-name none command, enter the no form of the command. The no option restores the default name, Application Access. To prevent a display name, enter the port-forward none command.

hostname(config-username-webvpn)# port-forward-name {value name | none}
hostname(config-username-webvpn)# no port-forward-name
 

The following example shows how to configure the port-forward name test:

hostname(config-group-policy)# webvpn
hostname(config-username-webvpn)# port-forward-name value test
hostname(config-username-webvpn)#
 

Configuring the Maximum Object Size to Ignore for Updating the Session Timer

Network devices exchange short keepalive messages to ensure that the virtual circuit between them is still active. The length of these messages can vary. The keep-alive-ignore command lets you tell the ASA to consider all messages that are less than or equal to the specified size as keepalive messages and not as traffic when updating the session timer. The range is 0 through 900 KB. The default is 4 KB.

To specify the upper limit of the HTTP/HTTPS traffic, per transaction, to ignore, use the keep-alive-ignore command in group-policy attributes webvpn configuration mode:

hostname(config-group-webvpn)# keep-alive-ignore size
hostname(config-group-webvpn)#
 
The no form of the command removes this specification from the configuration:
hostname(config-group-webvpn)# no keep-alive-ignore
hostname(config-group-webvpn)#
 

The following example sets the maximum size of objects to ignore as 5 KB:

hostname(config-group-webvpn)# keep-alive-ignore 5
hostname(config-group-webvpn)#
 

Configuring Auto-Signon

To automatically submit the login credentials of a particular user of clientless SSL VPN to internal servers using NTLM, basic HTTP authentication or both, use the auto-signon command in username webvpn configuration mode.

The auto-signon command is a single sign-on method for users of clientless SSL VPN sessions. It passes the login credentials (username and password) to internal servers for authentication using NTLM authentication, basic authentication, or both. Multiple auto-signon commands can be entered and are processed according to the input order (early commands take precedence).

You can use the auto-signon feature in three modes: webvpn configuration, webvpn group configuration, or webvpn username configuration mode. The typical precedence behavior applies where username supersedes group, and group supersedes global. The mode you choose will depend upon the desired scope of authentication.

To disable auto-signon for a particular user to a particular server, use the no form of the command with the original specification of IP block or URI. To disable authentication to all servers, use the no form without arguments. The no option allows inheritance of a value from the group policy.

The following example commands configure auto-signon for a user of clientless SSL VPN named anyuser, using either basic or NTLM authentication, to servers defined by the URI mask https://*.example.com/*:

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# auto-signon allow uri https://*.example.com/* auth-type all
 
The following example commands configure auto-signon for a user of clientless SSL VPN named anyuser, using either basic or NTLM authentication, to the server with the IP address 10.1.1.0, using subnet mask 255.255.255.0:
 
hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type all
hostname(config-username-webvpn)#
 

Specifying HTTP Compression

Enable compression of http data over a clientless SSL VPN session for a specific user by entering the http-comp command in the username webvpn configuration mode.

hostname(config-username-webvpn)# http-comp {gzip | none}
hostname(config-username-webvpn)#
 

To remove the command from the configuration and cause the value to be inherited, use the no form of the command:

hostname(config-username-webvpn)# no http-comp {gzip | none}
hostname(config-username-webvpn)#
 

The syntax of this command is as follows:

  • gzip— Specifies compression is enabled for the group or user. This is the default value.
  • none— Specifies compression is disabled for the group or user.

For clientless SSL VPN session, the compression command configured from global configuration mode overrides the http-comp command configured in group policy and username webvpn modes.

In the following example, compression is disabled for the username testuser:

hostname(config)# username testuser internal
hostname(config)# username testuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# http-comp none
hostname(config-username-webvpn)#

Specifying the SSO Server

Single sign-on support, available only for clientless SSL VPN sessions, lets users access different secure services on different servers without reentering a username and password more than once. The sso-server value command, when entered in username-webvpn mode, lets you assign an SSO server to a user.

To assign an SSO server to a user, use the sso-server value command in username-webvpn configuration mode. This command requires that your configuration include CA SiteMinder command.

hostname(config-username-webvpn)# sso-server value server_name
hostname(config-username-webvpn)#
 

To remove the assignment and use the default policy, use the no form of this command. To prevent inheriting the default policy, use the sso-server none command.

hostname(config-username-webvpn)# sso-server {value server_name | none}
hostname(config-username-webvpn)# [no] sso-server value server_name
 

The default policy assigned to the SSO server is DfltGrpPolicy.

The following example assigns the SSO server named example to the user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# sso-server value example
hostname(config-username-webvpn)#