Cisco PIX 500 Series Configuration Manual page 625
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
Specify the names or IP addresses of the DHCP server (up to 10 servers), and the names of the DHCP
Step 6
address pools (up to 6 pools). The defaults are no DHCP server and no address pool.
hostname(config-tunnel-general)# dhcp-server server1 [ ...server10 ]
hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1
[...address_pool6]
hostname(config-tunnel-general)#
Note
You configure address pools with the ip local pool command in global configuration mode.
Specify the name of the NAC authentication server group, if you are using Network Admission Control,
Step 7
to identify the group of authentication servers to be used for Network Admission Control posture
validation. Configure at least one Access Control Server to support NAC. Use the aaa-server command
to name the ACS group. Then use the nac-authentication-server-group command, using the same name
for the server group.
The following example identifies acs-group1 as the authentication server group to be used for NAC
posture validation:
hostname(config-group-policy)# nac-authentication-server-group acs-group1
hostname(config-group-policy)
The following example inherits the authentication server group from the default remote access group.
hostname(config-group-policy)# no nac-authentication-server-group
hostname(config-group-policy)
Note
Specify whether to strip the group or the realm from the username before passing it on to the AAA server.
Step 8
The default is not to strip either the group name or the realm.
hostname(config-tunnel-general)# strip-group
hostname(config-tunnel-general)# strip-realm
hostname(config-tunnel-general)#
A realm is an administrative domain. If you strip the realm, the security appliance uses the username and
the group (if present) authentication. If you strip the group, the security appliance uses the username and
the realm (if present) for authentication.Enter the strip-realm command to remove the realm qualifier,
and use the strip-group command to remove the group qualilfier from the username during
authentication. If you remove both qualifiers, authentication is based on the username alone. Otherwise,
authentication is based on the full username@realm or username<delimiter> group string. You must
specify strip-realm if your server is unable to parse delimiters.
Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password
Step 9
management.
Note
OL-12172-03
If you specify an interface name, you must enclosed it within parentheses.
NAC requires a Cisco Trust Agent on the remote host.
If you are using an LDAP directory server for authentication, password management is
supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun
ONE Directory Server) and the Microsoft Active Directory.
Sun—The DN configured on the security appliance to access a Sun directory server must be able
to access the default password policy on that server. We recommend using the directory
Cisco Security Appliance Command Line Configuration Guide
Configuring Connection Profiles
30-9
Advertisement
Table of Contents
Troubleshooting
