Cisco PIX 500 Series Configuration Manual page 641
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
hostname(config)# tunnel-group RadiusServer general-attributes
hostname(config-tunnel-general)# authentication server-group RADIUS
hostname(config-tunnel-general)# accounting-server-group RADIUS
hostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributes
hostname(config-tunnel-webvpn)# group-alias "Cisco Remote Access" enable
hostname(config-tunnel-webvpn)# group-url http://www.cisco.com enable
hostname(config-tunnel-webvpn)# group-url http://192.168.10.10 enable
hostname(config-tunnel-webvpn)#
For a more extensive example, see
sessions, page
To specify the DNS server to use for a connection profile for clientless SSL VPN sessions, enter the
Step 6
dns-group command. The default value is DefaultDNS:
hostname(config-tunnel-webvpn)# dns-group { hostname | ip_address }
hostname(config-tunnel-webvpn)#
The dns-group command resolves the hostname to the appropriate DNS server for the connection profile.
For example, to specify the use of the DNS server named server1, enter the following command:
hostname(config)# name 10.10.10.1 server1
hostname(config-tunnel-webvpn)# dns-group server1
hostname(config-tunnel-webvpn)#
Step 7
(Optional) To specify a VPN feature policy if you use the Cisco Secure Desktop Manager to set the
Group-Based Policy attribute to "Use Failure Group-Policy" or "Use Success Group-Policy, if criteria
match," use the hic-fail-group-policy command. The default value is DfltGrpPolicy.
hostname(config-tunnel-webvpn)# hic-fail-group-policy
hostname(config-tunnel-webvpn)#
Name is the name of a group policy created for a connection profile for clientless SSL VPN sessions.
This policy is an alternative group policy to differentiate access rights for the following CSD clients:
Clients that match a CSD location entry set to "Use Failure Group-Policy."
•
Clients that match a CSD location entry set to "Use Success Group-Policy, if criteria match," and
•
then fail to match the configured Group-Based Policy criteria. For more information, see the Cisco
Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
The following example specifies an alternative group policy named group2:
hostname(config-tunnel-webvpn)# hic-fail-group-policy group2
hostname(config-tunnel-webvpn)#
Note
For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series
Administration Guide.
(Optional) To specify whether to override the group policy or username attributes configuration for
Step 8
downloading an AnyConnect or SSL VPN client, use the override-svc-download command. This feature
is disabled by default.
The security appliance allows clientless, AnyConnect, or SSL VPN client connections for remote users
based on whether clientless and/or SSL VPN is enabled in the group policy or username attributes with
the vpn-tunnel-protocol command. The svc ask command further modifies the client user experience
by prompting the user to download the client or return to the WebVPN home page.
OL-12172-03
30-26.
The security appliance does not use this attribute if you set the VPN feature policy to "Always
use Success Group-Policy."
Customizing Login Windows for Users of Clientless SSL VPN
Cisco Security Appliance Command Line Configuration Guide
Configuring Connection Profiles
name
30-25
Advertisement
Table of Contents
Troubleshooting
