General Connection Profile Connection Parameters - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
General Connection Profile Connection Parameters
General parameters are common to all VPN connections. The general parameters include the following:
•
•
•
•
•
•
•
•
•
•
OL-12172-03
Connection profile name—You specify a connection-profile name when you add or edit a
connection profile. The following considerations apply:
For clients that use preshared keys to authenticate, the connection profile name is the same as
–
the group name that an IPSec client passes to the security appliance.
Clients that use certificates to authenticate pass this name as part of the certificate, and the
–
security appliance extracts the name from the certificate.
Connection type—Connection types include IPSec remote access, IPSec LAN-to-LAN, and
clientless SSL VPN. A connection profile can have only one connection type.
Authentication, Authorization, and Accounting servers—These parameters identify the server
groups or lists that the security appliance uses for the following purposes:
Authenticating users
–
Obtaining information about services users are authorized to access
–
Storing accounting records
–
A server group can consist of one or more servers.
Default group policy for the connection—A group policy is a set of user-oriented attributes. The
default group policy is the group policy whose attributes the security appliance uses as defaults
when authenticating or authorizing a tunnel user.
Client address assignment method—This method includes values for one or more DHCP servers or
address pools that the security appliance assigns to clients.
Override account disabled—This parameter lets you override the "account-disabled" indicator
received from a AAA server.
Password management—This parameter lets you warn a user that the current password is due to
expire in a specified number of days (the default is 14 days), then offer the user the opportunity to
change the password.
Strip group and strip realm—These parameters direct the way the security appliance processes the
usernames it receives. They apply only to usernames received in the form user@realm. A realm is
an administrative domain appended to a username with the @ delimiter (user@abc).
When you specify the strip-group command, the security appliance selects the connection profile
for user connections by obtaining the group name from the username presented by the VPN client.
The security appliance then sends only the user part of the username for
authorization/authentication. Otherwise (if disabled), the security appliance sends the entire
username, including the realm.
Strip-realm processing removes the realm from the username when sending the username to the
authentication or authorization server. If the command is enabled, the security appliance sends only
the user part of the username authorization/authentication. Otherwise, the security appliance sends
the entire username.
Authorization required—This parameter lets you require authorization before a user can connect, or
turn off that requirement.
Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use
when performing authorization.
Cisco Security Appliance Command Line Configuration Guide
Connection Profiles
30-3
Advertisement
Table of Contents
Troubleshooting
