Cisco ASA 5505 Configuration Manual page 1347

Chapter 64 General VPN Setup
Individual user authentication protects the central site from access by unauthorized persons on the
private network of the hardware client. When you enable individual user authentication, each user
that connects through a hardware client must open a web browser and manually enter a valid
username and password to access the network behind the adaptive security appliance, even though
the tunnel already exists.
Note
If you have a default home page on the remote network behind the adaptive security appliance, or if
you direct the browser to a website on the remote network behind the adaptive security appliance,
the hardware client directs the browser to the proper pages for user login. When you successfully
log in, the browser displays the page you originally entered.
If you try to access resources on the network behind the adaptive security appliance that are not
web-based, for example, e-mail, the connection fails until you authenticate using a browser.
To authenticate, you must enter the IP address for the private interface of the hardware client in the
browser Location or Address field. The browser then displays the login dialog box for the hardware
client. To authenticate, click Connect/Login Status.
One user can log in for a maximum of four sessions simultaneously. Individual users authenticate
according to the order of authentication servers configured for a group.
User Authentication Idle Timeout—Configures a user timeout period. The security appliance
•
terminates the connection if it does not receive user traffic during this period. You can specify that
the timeout period is a specific number of minutes or unlimited.
–
–
Note that the idle timeout indicated in response to the show uauth command is always the idle
timeout value of the user who authenticated the tunnel on the Cisco Easy VPN remote device.
Cisco IP Phone Bypass—Lets Cisco IP Phones bypass the interactive individual user authentication
•
processes. If enabled, interactive hardware client authentication remains in effect. Cisco IP Phone
Bypass is disabled by default.
Note
LEAP Bypass—Lets LEAP packets from Cisco wireless devices bypass the individual user
•
authentication processes (if enabled). LEAP Bypass lets LEAP packets from devices behind a
hardware client travel across a VPN tunnel prior to individual user authentication. This lets
workstations using Cisco wireless access point devices establish LEAP authentication. Then they
authenticate again per individual user authentication (if enabled). LEAP Bypass is disabled by
default.
Note
OL-20339-01
You cannot use the command-line interface to log in if user authentication is enabled. You must
use a browser.
Unlimited—Specifies that the connection never times out. This option prevents inheriting a
value from a default or specified group policy.
Minutes—Specifies the timeout period in minutes. Use an integer between 1 and 35791394. The
default value is Unlimited.
You must configure the ASA 5505 in client mode or the VPN 3002 hardware client to use
network extension mode for IP phone connections.
This feature does not work as intended if you enable interactive hardware client authentication.
Cisco ASA 5500 Series Configuration Guide using ASDM
ACL Manager
64-37