Cisco PIX 500 Series Configuration Manual page 682
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Group Policies
Configuring Auto-Signon
The auto-signon command is a single sign-on method for users of clientless SSL VPN sessions. It passes
the login credentials (username and password) to internal servers for authentication using NTLM
authentication, basic authentication, or both. Multiple auto-signon commands can be entered and are
processed according to the input order (early commands take precedence).
You can use the auto-signon feature in three modes: webvpn configuration, webvpn group configuration,
or webvpn username configuration mode. The typical precedence behavior applies where username
supersedes group, and group supersedes global. The mode you choose depends upon the desired scope
of authentication.
To disable auto-signon for a particular user to a particular server, use the no form of the command with
the original specification of IP block or URI. To disable authentication to all servers, use the no form
without arguments. The no option allows inheritance of a value from the group policy.
The following example, entered in group-policy webvpn configuration mode, configures auto-signon for
the user named anyuser, using basic authentication, to servers with IP addresses ranging from 10.1.1.0
to 10.1.1.255:
The following example commands configure auto-signon for users of clientless SSL VPN sessions,
using either basic or NTLM authentication, to servers defined by the URI mask https://*.example.com/*:
hostname(config)# group-policy ExamplePolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# auto-signon allow uri https://*.example.com/* auth-type all
hostname(config-group-webvpn)#
The following example commands configure auto-signon for users of clientless SSL VPN sessions,
using either basic or NTLM authentication, to the server with the IP address 10.1.1.0, using subnet mask
255.255.255.0:
hostname(config)# group-policy ExamplePolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type all
hostname(config-group-webvpn)#
Specifying the Access List for Clientless SSL VPN Sessions
Specify the name of the access list to use for clientless SSL VPN sessions for this group policy or
username by using the filter command in webvpn mode. Clientless SSL VPN access lists do not apply
until you enter the filter command to specify them.
To remove the access list, including a null value created by issuing the filter none command, enter the
no form of this command. The no option allows inheritance of a value from another group policy. To
prevent inheriting filter values, enter the filter value none command.
Access lists for clientless SSL VPN sessions do not apply until you enter the filter command to specify
them.
You configure ACLs to permit or deny various types of traffic for this group policy. You then enter the
filter command to apply those ACLs for clientless SSL VPN traffic.
hostname(config-group-webvpn)# filter {value
hostname(config-group-webvpn)# no filter
The none keyword indicates that there is no webvpntype access list. It sets a null value, thereby
disallowing an access list and prevents inheriting an access list from another group policy.
The ACLname string following the keyword value provides the name of the previously configured access
list.
Cisco Security Appliance Command Line Configuration Guide
30-66
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
ACLname
| none}
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
