Cisco Security Appliance Command Line Configuration Guide, Version 7.1
Configuring Tunnel Groups, Group Policies, and Users
Download this chapter
Configuring Tunnel Groups, Group Policies, and UsersConfiguring Tunnel Groups, Group Policies, and Users
Download the complete book
Cisco Security Appliance Command Line Configuration Guide, 7.1(1) -- Whole Book PDFCisco Security Appliance Command Line Configuration Guide, 7.1(1) -- Whole Book PDF (PDF - 8 MB)
give_us_feedback

Table Of Contents

Configuring Tunnel Groups, Group Policies, and Users

Overview of Tunnel Groups, Group Policies, and Users

Tunnel Groups

General Tunnel-Group Connection Parameters

IPSec Tunnel-Group Connection Parameters

WebVPN Tunnel-Group Connection Parameters

Configuring Tunnel Groups

Default IPSec Remote Access Tunnel Group Configuration

Configuring IPSec Tunnel-Group General Parameters

Configuring IPSec Remote-Access Tunnel Groups

Specifying a Name and Type for the IPSec Remote Access Tunnel Group

Configuring IPSec Remote-Access Tunnel Group General Attributes

Configuring IPSec Remote-Access Tunnel Group IPSec Attributes

Configuring LAN-to-LAN Tunnel Groups

Default LAN-to-LAN Tunnel Group Configuration

Specifying a Name and Type for a LAN-to-LAN Tunnel Group

Configuring LAN-to-LAN Tunnel Group General Attributes

Configuring LAN-to-LAN IPSec Attributes

Configuring WebVPN Tunnel Groups

Specifying a Name and Type for a WebVPN Tunnel Group

Configuring WebVPN Tunnel-Group General Attributes

Configuring WebVPN Tunnel-Group WebVPN Attributes

Customizing Login Windows for WebVPN Users

Group Policies

Default Group Policy

Configuring Group Policies

Configuring an External Group Policy

Configuring an Internal Group Policy

Configuring Group Policy Attributes

Configuring WINS and DNS Servers

Configuring VPN-Specific Attributes

Configuring Security Attributes

Configuring the Banner Message

Configuring IPSec-UDP Attributes

Configuring Split-Tunneling Attributes

Configuring Domain Attributes for Tunneling

Configuring Attributes for VPN Hardware Clients

Configuring Backup Server Attributes

Configuring Firewall Policies

Configuring Client Access Rules

Configuring Group-Policy WebVPN Attributes

Configuring User Attributes

Viewing the Username Configuration

Configuring Attributes for Specific Users

Setting a User Password and Privilege Level

Configuring User Attributes

Configuring VPN User Attributes

Configuring WebVPN for Specific Users


Configuring Tunnel Groups, Group Policies, and Users

This chapter describes how to configure VPN tunnel groups, group policies, and users. This chapter includes the following sections.

Overview of Tunnel Groups, Group Policies, and Users

Configuring Tunnel Groups

Group Policies

Configuring User Attributes

In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure these entities.

Overview of Tunnel Groups, Group Policies, and Users

Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. Tunnel groups identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.

Tunnel groups and group policies simplify system management. To streamline the configuration task, the security appliance provides a default LAN-to-LAN tunnel group, a default remote access tunnel group, a default WebVPN tunnel group, and a default group policy (DfltGrpPolicy). The default tunnel groups and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they "inherit" parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users.

If you decide to grant identical rights to all VPN users, then you do not need to configure specific tunnel groups or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Tunnel groups and group policies provide the flexibility to do so securely.

Note The security appliance also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and tunnel groups. For more information about using object groups, see "Identifying Traffic with Access Lists."

Tunnel Groups

A tunnel group consists of a set of records that determines tunnel connection policies. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to which connection information is sent. They also identify a default group policy for the connection, and they contain protocol-specific connection parameters. Tunnel groups include a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes.

The security appliance provides the following default tunnel groups: DefaultL2LGroup for LAN-to-LAN connections, DefaultRAGroup for remote access connections, and DefaultWEBVPNGroup for WebVPN connections. You can modify these default tunnel groups, but you cannot delete them. You can also create one or more tunnel groups specific to your environment. Tunnel groups are local to the security appliance and are not configurable on external servers.

Tunnel groups specify the following attributes:

General Tunnel-Group Connection Parameters

IPSec Tunnel-Group Connection Parameters

WebVPN Tunnel-Group Connection Parameters

General Tunnel-Group Connection Parameters

General parameters are common to both IPSec and WebVPN connections. The general parameters include the following:

Tunnel group name—You specify a tunnel-group name when you add or edit a tunnel group. The following considerations apply:

For clients that use preshared keys to authenticate, the tunnel group name is the same as the group name that an IPSec client passes to the security appliance.

Clients that use certificates to authenticate pass this name as part of the certificate, and the security appliance extracts the name from the certificate.

Connection type—Connection types include IPSec remote access, IPSec LAN-to-LAN, and WebVPN. A tunnel group can have only one connection type.

Authentication, Authorization, and Accounting servers—These parameters identify the server groups or lists that the security appliance uses for the following purposes:

Authenticating users

Obtaining information about services users are authorized to access

Storing accounting records

A server group can consist of one or more servers.

Default group policy for the connection—A group policy is a set of user-oriented attributes. The default group policy is the group policy whose attributes the security appliance uses as defaults when authenticating or authorizing a tunnel user.

Client address assignment method—This method includes values for one or more DHCP servers or address pools that the security appliance assigns to clients.

Override account disabled—This parameter lets you override the "account-disabled" indicator received from a AAA server.

Password management—This parameter lets you warn a user that the current password is due to expire in a specified number of days (the default is 14 days), then offer the user the opportunity to change the password.

Strip group and strip realm—These parameters direct the way the security appliance processes the usernames it receives. They apply only to usernames received in the form user@realm. A realm is an administrative domain appended to a username with the @ delimiter (user@abc).

When you specify the strip-group command, the security appliance selects the tunnel group for user connections by obtaining the group name from the username presented by the VPN client. The security appliance then sends only the user part of the username for authorization/authentication. Otherwise (if disabled), the security appliance sends the entire username, including the realm.

Strip-realm processing removes the realm from the username when sending the username to the authentication or authorization server. If the command is enabled, the security appliance sends only the user part of the username authorization/authentication. Otherwise, the security appliance sends the entire username.

Authorization required—This parameter lets you require authorization before user access or turn off that requirement.

Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use when performing authorization.

IPSec Tunnel-Group Connection Parameters

IPSec parameters include the following:

A client authentication method: preshared keys, certificates, or both.

For IKE connections based on preshared keys, the alphanumeric key itself (up to 128 characters long), associated with the connection policy.

Peer-ID validation requirement—This parameter specifies whether to require validating the identity of the peer using the peer's certificate.

ISAKMP (IKE) keepalive settings. This feature lets the security appliance monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the security appliance removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.

There are various forms of IKE keepalives. For this feature to work, both the security appliance and its remote peer must support a common form. This feature works with the following peers:

Cisco VPN client (Release 3.0 and above)

Cisco VPN 3000 Client (Release 2.x)

Cisco VPN 3002 Hardware Client

Cisco VPN 3000 Series Concentrators

Cisco IOS software

Cisco Secure PIX Firewall

Non-Cisco VPN clients do not support IKE keepalives.

If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.

If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend that you keep your idle timeout short. To change your idle timeout, see "Configuring Group Policies" section.

Note To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalive mechanism prevents connections from idling and therefore from disconnecting.

If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.

Note If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers have the same IKE keepalive configuration. Both peers must have IKE keepalives enabled or both peers must have it disabled.

If you configure authentication using digital certificates, you can specify whether to send the entire certificate chain (which sends the peer the identity certificate and all issuing certificates) or just the issuing certificates (including the root certificate and any subordinate CA certificates).

You can notify users who are using outdated versions of Windows client software that they need to update their client, and you can provide a mechanism for them to get the updated client version. For VPN 3002 hardware client users, you can trigger an automatic update. You can configure and change the client-update, either for all tunnel groups or for particular tunnel groups.

If you configure authentication using digital certificates, you can specify the name of the trustpoint that identifies the certificate to send to the IKE peer.

WebVPN Tunnel-Group Connection Parameters

The following attributes are specific to WebVPN connections:

The authentication method, either AAA or certificate.

The name of the customization to apply. Customizations determine the appearance of the windows that the user sees upon login. You configure the customization parameters as part of configuring WebVPN.

The DNS server-group name. The DNS server group specifies the DNS server name, domain name, name server, number of retries, and timeout values for a DNS server to use for a tunnel group.

One or more group aliases; these are alternate names by which the server can refer to a tunnel group. At login, the user selects the group name from a dropdown menu.

One or more group URLs. If you configure this parameter, users coming in on a specified URL need not select a group at login.

A group policy that grants a WebVPN user access rights that are different from the default group policy.

The name of the NetBIOS Name Service server (nbns-server) to use for CIFS name resolution.

Configuring Tunnel Groups

The following sections describe the contents and configuration of tunnel groups:

Default IPSec Remote Access Tunnel Group Configuration

Configuring IPSec Tunnel-Group General Parameters

Configuring IPSec Remote-Access Tunnel Groups

Configuring LAN-to-LAN Tunnel Groups

Configuring WebVPN Tunnel Groups

Customizing Login Windows for WebVPN Users

You can modify the default tunnel groups, and you can configure a new tunnel group as any of the three tunnel-group types. If you don't explicitly configure an attribute in a tunnel group, that attribute gets its value from the default tunnel group. The default tunnel-group type is ipsec-ra. The subsequent parameters depend upon your choice of tunnel type. To see the current configured and default configuration of all your tunnel groups, including the default tunnel group, enter the show running-config all tunnel-group command.

Default IPSec Remote Access Tunnel Group Configuration

The contents of the default remote-access tunnel group are as follows: 

tunnel-group DefaultRAGroup general-attributes

 no address-pool

 authentication-server-group LOCAL

 no authorization-server-group

 no accounting-server-group

 default-group-policy DfltGrpPolicy

 no dhcp-server

 no strip-realm

 password-management password-expire-in-days 14

 no override-account-disable

 no strip-group

 no authorization-required

 authorization-dn-attributes CN OU

tunnel-group DefaultRAGroup ipsec-attributes

 no pre-shared-key

 peer-id-validate req

 no chain

 no trust-point

 isakmp keepalive threshold 300 retry 2

Configuring IPSec Tunnel-Group General Parameters

The general parameters are common across more than one tunnel-group type. IPSec remote access and WebVPN tunnels share most of the same general parameters. IPSec LAN-to-LAN tunnels use a subset. Refer to the Cisco Security Appliance Command Reference for complete descriptions of all commands. The following sections describe, in order, how to configure IPSec remote-access tunnel groups, IPSec LAN-to-LAN tunnel groups, and WebVPN tunnel groups.

Configuring IPSec Remote-Access Tunnel Groups

Use an IPSec remote-access tunnel group when setting up a connection between a remote client and a central-site security appliance, using a hardware or software client.To configure an IPSec remote-access tunnel group, first configure the tunnel-group general attributes, then the IPSec remote-access attributes. An IPSec Remote Access VPN tunnel group applies only to remote-access IPSec client connections.

Specifying a Name and Type for the IPSec Remote Access Tunnel Group

Create the tunnel group, specifying its name and type by entering the tunnel-group command. For an IPSec remote-access tunnel, the type is ipsec-ra 

hostname(config)# tunnel-group tunnel_group_name type ipsec-ra

hostname(config)#

For example, to create an IPSec remote-access tunnel-group named TunnelGroup1, enter the following command: 

hostname(config)# tunnel-group TunnelGroup1 type ipsec-ra

hostname(config)#

Configuring IPSec Remote-Access Tunnel Group General Attributes

To configure or change the tunnel group general attributes, specify the parameters in the following steps.

Step 1 To configure the general attributes, enter tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. The prompt changes to indicate the change in mode. 

hostname(config)# tunnel-group tunnel_group_name general-attributes

hostname(config-tunnel-general)#

Step 2 Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the keyword LOCAL: 

hostname(config-tunnel-general)# authentication-server-group [(interface_name)] groupname 
[LOCAL]

hostname(config-tunnel-general)#

You can optionally configure interface-specific authentication by including the name of an interface after the group name. The interface name, which specifies where the IPSec tunnel terminates, must be enclosed in parentheses. The following command configures interface-specific authentication for the interface named test using the server named servergroup1 for authentication: 

hostname(config-tunnel-general)# authentication-server-group (test) servergroup1

hostname(config-tunnel-general)#

Step 3 Specify the name of the authorization-server group, if any, to use. When you configure this value, users must exist in the authorization database to connect: 

hostname(config-tunnel-general)# authorization-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the authorization-server group FinGroup: 

hostname(config-tunnel-general)# authorization-server-group FinGroup

hostname(config-tunnel-general)#

Step 4 Specify the name of the accounting-server group, if any, to use: 

hostname(config-tunnel-general)# accounting-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the accounting-server group named comptroller: 

hostname(config-tunnel-general)# accounting-server-group comptroller

hostname(config-tunnel-general)#

Step 5 Specify the name of the default group policy: 

hostname(config-tunnel-general)# default-group-policy policyname

hostname(config-tunnel-general)#

The following example sets DfltGrpPolicy as the name of the default group policy: 

hostname(config-tunnel-general)# default-group-policy DfltGrpPolicy

hostname(config-tunnel-general)#

Step 6 Specify the name or IP address of the DHCP server (up to 10 servers), and the names of the DHCP address pools (up to 6 pools). The defaults are no DHCP server and no address pool. 

hostname(config-tunnel-general)# dhcp-server server1 [...server10]

hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 
[...address_pool6]

hostname(config-tunnel-general)#

Note The interface name must be enclosed in parentheses.

You configure address pools with the ip local pool command in global configuration mode.

Step 7 Specify whether to strip the group or the realm from the username before passing it on to the AAA server. The default is not to strip either the group name or the realm. 

hostname(config-tunnel-general)# strip-group

hostname(config-tunnel-general)# strip-realm

hostname(config-tunnel-general)#

A realm is an administrative domain. If you strip the realm, the security appliance uses the username and the group (if present) authentication. If you strip the group, the security appliance uses the username and the realm (if present) for authentication.Enter the strip-realm command to remove the realm qualifier, and use the strip-group command to remove the group qualilfier from the username during authentication. If you remove both qualifiers, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm or username<delimiter> group string. You must specify strip-realm if your server is unable to parse delimiters.

Step 8 Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password management. This feature, which is enabled by default, warns a user when the current password is about to expire. The default is to begin warning the user 14 days before expiration: 

hostname(config-tunnel-general)# password-management

hostname(config-tunnel-general)#

If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration to begin warning the user about the pending expiration: 

hostname(config-tunnel-general)# password-management [password-expire in days n]

hostname(config-tunnel-general)#

Note The password-management command, entered in tunnel-group general-attributes configuration mode replaces the deprecated radius-with-expiry command that was formerly entered in tunnel-group ipsec-attributes mode.

When you configure this command, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the security appliance starts warning the user that the password is about to expire.

If you do specify the password-expire-in-days keyword, you must also specify the number of days.

Specifying this command with the number of days set to 0 disables this command. The security appliance does not notify the user of the pending expiration, but the user can change the password after it expires

Step 9 Optionally, configure the ability to override an account-disabled indicator from a AAA server, by entering the override-account-disable command: 

hostname(config-tunnel-general)# override-account-disable

hostname(config-tunnel-general)#

Note Allowing override-account-disable is a potential security risk.

Step 10 Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization: 

hostname(config-tunnel-ipsec)# authorization-dn-attributes {primary-attribute 
[secondary-attribute] | use-entire-name}

For example, the following command specifies the use of the CN attribute as the username for authorization: 

hostname(config-tunnel-ipsec)# hostname(config-ipsec)# authorization-dn-attributes CN

hostname(config-tunnel-ipsec)#

The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), and UID (User ID)

Step 11 Specify whether to require a successful authorization before allowing a user to connect. The default is not to require authorization. 

hostname(config-tunnel-ipsec)# authorization-required

hostname(config-tunnel-ipsec)#

Configuring IPSec Remote-Access Tunnel Group IPSec Attributes

To configure the IPSec attributes for a remote-access tunnel group, do the following steps. The following description assumes that you have already created the IPSec remote-access tunnel group. IPSec remote-access tunnel groups have more attributes than IPSec LAN-to-LAN tunnel groups:

Step 1 To specify the attributes of an IPSec remote-access tunnel-group, enter tunnel-group ipsec-attributes mode by entering the following command. The prompt changes to indicate the mode change: 

hostname(config)# tunnel-group tunnel-group-name ipsec-attributes

hostname(config-tunnel-ipsec)#

This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the remote-access tunnel-group IPSec attributes.

For example, the following command designates that the tunnel-group ipsec-attributes mode commands that follow pertain to the tunnel group named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ipsec-attributes mode: 

hostname(config)# tunnel-group TG1 type ipsec-ra

hostname(config)# tunnel-group TG1 ipsec-attributes

hostname(config-tunnel-ipsec)#

Step 2 Specify the preshared key to support IKE connections based on preshared keys. For example, the following command specifies the preshared key xyzx to support IKE connections for an IPSec remote access tunnel group: 

hostname(config-tunnel-ipsec)# pre-shared-key xyzx

hostname(config-tunnel-ipsec)#

Step 3 Specify whether to validate the identity of the peer using the peer's certificate: 

hostname(config-tunnel-ipsec)# peer-id-validate option

hostname(config-tunnel-ipsec)#

The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req.

Step 4 Specify whether to enable sending of a certificate chain. The following command includes the root certificate and any subordinate CA certificates in the transmission: 

hostname(config-tunnel-ipsec)# chain

hostname(config-tunnel-ipsec)#

This attribute applies to all IPSec tunnel-group types.

Step 5 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer: 

hostname(config-tunnel-ipsec)# trust-point trust-point-name

hostname(config-tunnel-ipsec)#

The following command specifies mytrustpoint as the name of the certificate to be sent to the IKE peer: 

hostname(config-ipsec)# trust-point mytrustpoint

Step 6 Specify the ISAKMP (IKE) keepalive threshold and the number of retries allowed. 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold <number> retry <number>

hostname(config-tunnel-ipsec)#

The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command:

For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds: 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10

hostname(config-tunnel-ipsec)#

The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the default value for the retry parameter is 2.

Note The radius-with-expiry command, formerly configured as part of tunnel-group ipsec-ra configuration, is deprecated. The password-management command, entered in tunnel-group general-attributes mode, replaces it.

Configuring LAN-to-LAN Tunnel Groups

An IPSec LAN-to-LAN VPN tunnel group applies only to LAN-to-LAN IPSec client connections. While many of the parameters that you configure are the same as for IPSec remote-access tunnel groups, LAN-to-LAN tunnels have fewer parameters. To configure a LAN-to-LAN tunnel group, follow the steps in this section.

Default LAN-to-LAN Tunnel Group Configuration

The contents of the default LAN-to-LAN tunnel group are as follows: 

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

 no accounting-server-group

 default-group-policy DfltGrpPolicy

tunnel-group DefaultL2LGroup ipsec-attributes

 no pre-shared-key

 peer-id-validate req

 no chain

 no trust-point

 isakmp keepalive threshold 10 retry 2

LAN-to-LAN tunnel groups have fewer parameters than remote-access tunnel groups, and most of these are the same for both groups. For your convenience in configuring the connection, they are listed separately here. Any parameters that you do not explicitly configure inherit their values from the default tunnel group.

Specifying a Name and Type for a LAN-to-LAN Tunnel Group

To specify a name and a type for a tunnel group, enter the tunnel-group command, as follows: 

hostname(config)# tunnel-group tunnel_group_name type tunnel_type

For a LAN-to-LAN tunnel, the type is ipsec-l2l.; for example, to create the LAN-to-LAN tunnel group named docs, enter the following command: 

hostname(config)# tunnel-group docs type ipsec-l2l

hostname(config)#

Configuring LAN-to-LAN Tunnel Group General Attributes

To configure the tunnel group general attributes, do the following steps:

Step 1 Enter tunnel-group general-attributes mode by specifying the general-attributes keyword: 

hostname(config)# tunnel-group_tunnel-group-name general-attributes

hostname(config-tunnel-general)#

The prompt changes to indicate that you are now in config-general mode, in which you configure the tunnel-group general attributes.

For example, for the tunnel group named docs, enter the following command: 

hostname(config)# tunnel-group_docs general-attributes

hostname(config-tunnel-general)#

Step 2 Specify the name of the accounting-server group, if any, to use: 

hostname(config-tunnel-general)# accounting-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the accounting-server group acctgserv1: 

hostname(config-tunnel-general)# accounting-server-group acctgserv1

hostname(config-tunnel-general)#

Step 3 Specify the name of the default group policy: 

hostname(config-tunnel-general)# default-group-policy policyname

hostname(config-tunnel-general)#

For example, the following command specifies that the name of the default group policy is MyPolicy: 

hostname(config-tunnel-general)# default-group-policy MyPolicy

hostname(config-tunnel-general)#

Configuring LAN-to-LAN IPSec Attributes

To configure the IPSec attributes, do the following steps:

Step 1 To configure the tunnel-group IPSec attributes, enter tunnel-group ipsec-attributes configuration mode by entering the tunnel-group command with the IPSec-attributes keyword. 

hostname(config)# tunnel-group tunnel-group-name ipsec-attributes

hostname(config-tunnel-ipsec)#

For example, the following command enters config-ipsec mode so you can configure the parameters for the tunnel group named TG1: 

hostname(config)# tunnel-group TG1 ipsec-attributes

hostname(config-tunnel-ipsec)#

The prompt changes to indicate that you are now in tunnel-group ipsec-attributes configuration mode.

Step 2 Specify the preshared key to support IKE connections based on preshared keys. 

hostname(config-tunnel-ipsec)# pre-shared-key key

hostname(config-tunnel-ipsec)#

For example, the following command specifies the preshared key XYZX to support IKE connections for an IPSec LAN-to-LAN tunnel group: 

hostname(config-tunnel-ipsec)# pre-shared-key xyzx

hostname(config-tunnel-general)#

Step 3 Specify whether to validate the identity of the peer using the peer's certificate: 

hostname(config-tunnel-ipsec)# peer-id-validate option

hostname(config-tunnel-ipsec)#

The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req. For example, the following command sets the peer-id-validate option to nocheck: 

hostname(config-tunnel-ipsec)# peer-id-validate nocheck

hostname(config-tunnel-ipsec)#

Step 4 Specify whether to enable sending of a certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission: 

hostname(config-tunnel-ipsec)# chain

hostname(config-tunnel-ipsec)#

You can apply this attribute to all tunnel-group types.

Step 5 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer: 

hostname(config-tunnel-ipsec)# trust-point trust-point-name

hostname(config-tunnel-ipsec)#

For example, the following command sets the trustpoint name to mytrustpoint: 

hostname(config-tunnel-ipsec)# trust-point mytrustpoint

hostname(config-tunnel-ipsec)#

You can apply this attribute to all tunnel-group types.

Step 6 Specify the ISAKMP(IKE) keepalive threshold and the number of retries allowed. The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command: 

hostname(config)# isakmp keepalive threshold <number> retry <number>

hostname(config-tunnel-ipsec)#

For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the retry interval to 10 seconds.: 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10

hostname(config-tunnel-ipsec)#

The default value for the threshold parameter for LAN-to-LAN is 10, and the default value for the retry parameter is 2.

Configuring WebVPN Tunnel Groups

A WebVPN tunnel group applies only to WebVPN connections. The tunnel-group general attributes for WebVPN tunnel groups are the same as those of IPSec remote-access tunnel groups, except that the tunnel-group type is webvpn and the strip-group and strip-realm commands do not apply. You define the WebVPN-specific attributes separately. The following sections describe how to configure WebVPN tunnel groups.

Specifying a Name and Type for a WebVPN Tunnel Group

Create the tunnel group, specifying its name and type by entering the tunnel-group command in global configuration mode. For an IPSec remote-access tunnel, the type is webvpn 

hostname(config)# tunnel-group tunnel_group_name type webvpn

hostname(config)#

For example, to create a WebVPN tunnel-group named TunnelGroup3, enter the following command: 

hostname(config)# tunnel-group TunnelGroup3 type webvpn

hostname(config)#

Configuring WebVPN Tunnel-Group General Attributes

To configure or change the tunnel group general attributes, specify the parameters in the following steps.

Step 1 To configure the general attributes, enter tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. Note that the prompt changes: 

hostname(config)# tunnel-group tunnel_group_name general-attributes

hostname(config-tunnel-general)#

To configure the general attributes for TunnelGroup3, created in the previous section, enter the following command: 

hostname(config)# tunnel-group TunnelGroup3 general-attributes

hostname(config-tunnel-general)#

Step 2 Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the keyword LOCAL: 

hostname(config-tunnel-general)# authentication-server-group groupname [LOCAL]

hostname(config-tunnel-general)#

You can also configure interface-specific authentication by including the name of an interface after the group name. The following command configures interface-specific authentication for the interface named test using the server servergroup1 for authentication: 

hostname(config-tunnel-general)# authentication-server-group test servergroup1

hostname(config-tunnel-general)#

Step 3 Optionally, specify the name of the authorization-server group, if any, to use. If you are not using authorization, go to Step 6. When you configure this value, users must exist in the authorization database to connect: 

hostname(config-tunnel-general)# authorization-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the authorization-server group FinGroup: 

hostname(config-tunnel-general)# authorization-server-group FinGroup

hostname(config-tunnel-general)#

Step 4 Specify whether to require a successful authorization before allowing a user to connect. The default is not to require authorization. 

hostname(config-tunnel-ipsec)# authorization-required

hostname(config-tunnel-ipsec)#

Step 5 Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization: 

hostname(config-tunnel-ipsec)# authorization-dn-attributes {primary-attribute 
[secondary-attribute] | use-entire-name}

For example, the following command specifies the use of the CN attribute as the username for authorization: 

hostname(config-tunnel-ipsec)# hostname(config-ipsec)# authorization-dn-attributes CN

hostname(config-tunnel-ipsec)#

The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), and UID (User ID)

Step 6 Optionally, specify the name of the accounting-server group, if any, to use. If you are not using accounting, go to Step 7: 

hostname(config-tunnel-general)# accounting-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the accounting-server group comptroller: 

hostname(config-tunnel-general)# accounting-server-group comptroller

hostname(config-tunnel-general)#

Step 7 Optionally, specify the name of the default group policy. The default value is DfltGrpPolicy: 

hostname(config-tunnel-general)# default-group-policy policyname

hostname(config-tunnel-general)#

The following example sets MyDfltGrpPolicy as the name of the default group policy: 

hostname(config-tunnel-general)# default-group-policy MyDfltGrpPolicy

hostname(config-tunnel-general)#

Step 8 Optionally, specify the name or IP address of the DHCP server (up to 10 servers), and the names of the DHCP address pools (up to 6 pools). Separate the list items with spaces. The defaults are no DHCP server and no address pool. 

hostname(config-tunnel-general)# dhcp-server server1 [...server10]

hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 
[...address_pool6]

hostname(config-tunnel-general)#

Note The interface name must be enclosed in parentheses.

You configure address pools with the ip local pool command in global configuration mode. See "Configuring IP Addresses for VPNs" for information about configuring address pools.

Step 9 Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable or disable password management. This feature, which is enabled by default, warns a user when the current password is about to expire. The default is to begin warning the user 14 days before expiration: 

hostname(config-tunnel-general)# password-management

hostname(config-tunnel-general)#

If the server is an LDAP server, you can specify the number of days before expiration to begin warning the user about the pending expiration.

Note The password-management command, entered in tunnel-group general-attributes configuration mode replaces the deprecated radius-with-expiry command that was formerly entered in tunnel-group ipsec-attributes configuration mode.

Step 10 Optionally, configure the ability to override an account-disabled indicator from the AAA server, by entering the override-account-disable command: 

hostname(config-tunnel-general)# override-account-disable

hostname(config-tunnel-general)#

Configuring WebVPN Tunnel-Group WebVPN Attributes

To configure the parameters specific to a WebVPN tunnel group, follow the steps in this section.

Step 1 To specify the attributes of a WebVPN tunnel-group, enter tunnel-group webvpn-attributes mode by entering the following command. The prompt changes to indicate the mode change: 

hostname(config)# tunnel-group tunnel-group-name webvpn-attributes

hostname(config-tunnel-ipsec)#

For example, to specify the webvpn-attributes for the WebVPN tunnel-group named sales, enter the following command: 

hostname(config)# tunnel-group sales webvpn-attributes

hostname(config-tunnel-webvpn)#

Step 2 To specify the authentication method to use: AAA, digital certificates, or both, enter the authentication command. You can specify either aaa or certificate or both, in any order. 

hostname(config-tunnel-webvpn)# authentication authentication_method

hostname(config-tunnel-webvpn)#

For example, to allow both AAA and certificate authentication, enter the following command: 

hostname(config-tunnel-webvpn)# authentication aaa certificate

hostname(config-tunnel-webvpn)#

Step 3 To apply a previously defined web-page customization to change the look-and-feel of the web page that the user sees at login, enter the customization command. 

hostname(config-tunnel-webvpn)# customization customization_name

hostname(config-tunnel-webvpn)#

For example, to use the customization named blueborder, enter the following command: 

hostname(config-tunnel-webvpn)# customization blueborder

hostname(config-tunnel-webvpn)#

You configure the customization itself in WebVPN mode.

Step 4 The security appliance queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems. WebVPN uses NetBIOS and the CIFS protocol to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific NetBIOS name that identifies a resource on the network.

The security appliance queries NetBIOS name servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.

To make the NBNS function operational, you must configure at least one NetBIOS server (host). You can configure up to three NBNS servers for redundancy. The security appliance uses the first server on the list for NetBIOS/CIFS name resolution. If the query fails, it uses the next server.

To specify the name of the NBNS (NetBIOS Name Service) server to use for CIFS name resolution, use the nbns-server command. You can enter up to three server entries. The first server you configure is the primary server, and the others are backups, for redundancy. You can also specify whether this is a master browser (rather than just a WINS server), the timeout interval, and the number of retries. A WINS server or a master browser is typically on the same network as the security appliance, or reachable from that network. You must specify the timeout interval before the number of retries: 

hostname(config-tunnel-webvpn)# nbns-server {host-name | IP_address} [master] 
[timeout seconds] [retry number]

hostname(config-tunnel-webvpn)#

For example, to configure the server named nbnsprimary as the primary server and the server 192.168.2.2 as the secondary server, each allowing three retries and having a 5-second timeout, enter the following command: 

hostname(config)# name 192.168.2.1 nbnsprimary

hostname(config-tunnel-webvpn)# nbns-server nbnsprimary master timeout 5 retry 3

hostname(config-tunnel-webvpn)# nbns-server 192.168.2.2 timeout 5 retry 3

hostname(config-tunnel-webvpn)#

The timeout interval can range from 1 through 30 seconds (default 2), and the number of retries can be in the range 0 through 10 (default 2).

The nbns-server command in tunnel-group webvpn-attributes configuration mode replaces the deprecated command in webvpn configuration mode.

Step 5 To specify alternative names for the group, use the group-alias command. Specifying the group alias creates one or more alternate names by which the user can refer to a tunnel-group. The group alias that you specify here appears in the drop-down list on the user's login page. Each group can have multiple aliases or no alias, each specified in separate commands. This feature is useful when the same group is known by several common names, such as "Devtest" and "QA".

For each group alias, enter a group-alias command. Each alias is enabled by default. You can optionally explicitly enable or disable each alias: 

hostname(config-tunnel-webvpn)# group-alias alias [enable | disable]

hostname(config-tunnel-webvpn)#

For example, to enable the aliases QA and Devtest for a tunnel-group named QA, enter the following commands: 

hostname(config-tunnel-webvpn)# group-alias QA enable

hostname(config-tunnel-webvpn)# group-alias Devtest enable

hostname(config-tunnel-webvpn)#

Note The WebVPN tunnel-group-list must be enabled for the (dropdown) group list to appear.

Step 6 To specify incoming URLs or IP addresses for the group, use the group-url command. Specifying a group URL or IP address eliminates the need for the user to select a group at login. When a user logs in, the security appliance looks for the user's incoming URL or address in the tunnel-group-policy table. If it finds the URL or address and if group-url is enabled in the tunnel group, then the security appliance automatically selects the associated tunnel group and presents the user with only the username and password fields in the login window. This simplifies the user interface and has the added advantage of never exposing the list of groups to the user. The login window that the user sees uses the customizations configured for that tunnel group.

If the URL or address is disabled and group-alias is configured, then the dropdown list of groups is also displayed, and the user must make a selection.

You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be enabled or disabled individually. You must use a separate group-url command for each URL or address specified. You must specify the entire URL or address, including either the http or https protocol.

You cannot associate the same URL or address with multiple groups. The security appliance verifies the uniqueness of the URL or address before accepting the URL or address for a tunnel group.

For each group URL or address, enter a group-URL command. You can optionally explicitly enable (the default) or disable each URL or alias: 

hostname(config-tunnel-webvpn)# group-url url [enable | disable]

hostname(config-tunnel-webvpn)#

For example, to enable the group URLs http://www.cisco.com and http://192.168.10.10 for the tunnel-group named RadiusServer, enter the following commands: 

hostname(config)# tunnel-group RadiusServer type webvpn

hostname(config)# tunnel-group RadiusServer general-attributes

hostname(config-tunnel-general)# authentication server-group RADIUS

hostname(config-tunnel-general)# accounting-server-group RADIUS

hostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributes

hostname(config-tunnel-webvpn)# group-alias "Cisco Remote Access" enable

hostname(config-tunnel-webvpn)# group-url http://www.cisco.com enable

hostname(config-tunnel-webvpn)# group-url http://192.168.10.10 enable

hostname(config-tunnel-webvpn)#

For a more extensive example, see Customizing Login Windows for WebVPN Users.

Step 7 To specify the DNS server to use for a WebVPN tunnel group, enter the dns-group command. The default value is DefaultDNS: 

hostname(config-tunnel-webvpn)# dns-group {hostname | ip_address}

hostname(config-tunnel-webvpn)#

The dns-group command resolves the hostname to the appropriate DNS server for the tunnel group. For example, to specify the use of the DNS server named server1, enter the following command: 

hostname(config)# name 10.10.10.1 server1

hostname(config-tunnel-webvpn)# dns-group server1

hostname(config-tunnel-webvpn)#

Step 8 (Optional) To specify a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Group-Based Policy attribute to "Use Failure Group-Policy" or "Use Success Group-Policy, if criteria match," use the hic-fail-group-policy command. The default value is DfltGrpPolicy. 

hostname(config-tunnel-webvpn)# hic-fail-group-policy name

hostname(config-tunnel-webvpn)#

Name is the name of a group policy created for a WebVPN tunnel group.

This policy is an alternative group policy to differentiate access rights for the following CSD clients:

Clients that match a CSD location entry set to "Use Failure Group-Policy."

Clients that match a CSD location entry set to "Use Success Group-Policy, if criteria match," and then fail to match the configured Group-Based Policy criteria. For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.

The following example specifies an alternative group policy named group2: 

hostname(config-tunnel-webvpn)# hic-fail-group-policy group2

hostname(config-tunnel-webvpn)#

Note The security appliance does not use this attribute if you set the VPN feature policy to "Always use Success Group-Policy."

For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administration Guide.

Customizing Login Windows for WebVPN Users

You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create a WebVPN tunnel group called sales that uses that customization profile, as the following example shows:

Step 1 In webvpn mode, define a WebVPN customization, in this case named salesgui and change the default logo to mycompanylogo.gif. You must have previously loaded mycompanylogo.gif onto the flash memory of the security appliance and saved the configuration. See the WebVPN chapter for details. 

hostname# webvpn

hostname (config-webvpn)# customization value salesgui

hostname(config-webvpn-custom)# logo file disk0:\mycompanylogo.gif

hostname(config-webvpn-custom)#

Step 2 In global configuration mode, set up a username and associate with it the WebVPN customization you've just defined: 

hostname# username seller attributes

hostname(config-username)# webvpn

hostname(config-username-webvpn)# customization value salesgui

hostname(config-username-webvpn)# exit

hostname(config-username)# exit

hostname#

Step 3 In global configuration mode, create a WebVPN tunnel-group named sales: 

hostname# tunnel-group sales type webvpn

hostname(config-tunnel-webvpn)#

Step 4 Specify that you want to use the salesgui customization for this tunnel group: 

hostname# tunnel-group sales webvpn-attributes

hostname(config-tunnel-webvpn)# customization salesgui

Step 5