Enabling Cookies On Browsers For Webvpn - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 37 Configuring WebVPN

Enabling Cookies on Browsers for WebVPN

Browser cookies are required for the proper operation of WebVPN. When cookies are disabled on the
web browser, the links from the web portal home page open a new window prompting the user to log in
once more.
Managing Passwords
You can configure the security appliance to warn end users when their passwords are about to expire. To
do this, you specify the password-management command in tunnel-group general-attributes mode.
When you configure this command, the security appliance notifies the remote user at login that the user's
current password is about to expire or has expired. The security appliance then offers the user the
opportunity to change the password. If the current password has not yet expired, the user can still log in
using that password. This command is valid for AAA servers that support such notification; that is,
RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command
if RADIUS or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather specifies the
number of days ahead of expiration that the security appliance starts warning the user that the password
is about to expire. The default value is 14 days.
For LDAP server authentication only, you can use the password-expire-in-days keyword to specify a
specific number of days. If you specify the password-expire-in-days keyword, you must also specify
the number of days.
Specifying this command with the number of days set to 0 disables this command. The security appliance
then does not notify the user of the pending expiration, but the user can change the password after it
expires.
The following example sets the days before password expiration to begin warning the user of the pending
expiration to 90 for the tunnel group "testgroup":
hostname(config)# tunnel-group testgroup type webvpn
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# password-management password-expire-in-days 90
Using Single Sign-on with WebVPN
Single sign-on support lets WebVPN users enter a username and password only once to access multiple
protected services and web servers. In general, the SSO mechanism either starts as part of the AAA
process or just after successful user authentication to a AAA server. The WebVPN server running on the
security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the
WebVPN server sends an SSO authentication request, including username and password, to the
authenticating server using HTTPS. If the server approves the authentication request, it returns an SSO
authentication cookie to the WebVPN server. The security appliance keeps this cookie on behalf of the
user and uses it to authenticate the user to secure websites within the domain protected by the SSO
server.
This section describes the three SSO authentication methods supported by WebVPN: HTTP Basic and
NTLMv1 (NT LAN Manager) authentication, the Computer Associates eTrust SiteMinder SSO server
(formerly Netegrity SiteMinder), and the HTTP Form protocol.
This section includes:
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
Getting Started with WebVPN
37-5