Table Of Contents

General

Configuration | System | General

Identification

Screen Elements

Time and Date

Screen Elements

Sessions

Maximum Active Sessions: WebVPN or IPSec, PPTP and L2TP/IPSec

Ratios of Sessions: WebVPN to IPSec, PPTP and L2TP/IPSec

Screen Elements

Global Authentication Parameters

Screen Elements

Groups and Realms

Groups

Realms

Strip Realm and Group Lookup

Usernames with Groups and Realms Summary

Associating Users with Different Groups for Authentication

General

---

General configuration parameters include VPN 3000 Concentrator environment items: system identification, time, and date.

Configuration | System | General

This section of the Manager lets you configure general VPN Concentrator parameters.

•Identification: System name, contact person, system location.

•Time and Date: System time and date.

•Sessions: The maximum number of sessions.

•Global Authentication Parameters: General authentication parameters.

Figure 10-1 Configuration | System | General Screen

Identification

This screen lets you configure system identification parameters that are stored in the standard MIB-II system object. Network management systems using SNMP can retrieve this object and identify the system. Configuring this information is optional.

Figure 10-2 Configuration | System | General | Identification Screen

Screen Elements

•System Name — Enter a system name that uniquely identifies this VPN Concentrator on your network, for example: VPN01. The maximum name length is 255 characters.

•Contact — Enter the name of the contact person who is responsible for this VPN Concentrator. The maximum name length is 255 characters.

•Location — Enter the location of this VPN Concentrator. The maximum length is 255 characters.

Reminder:

After you apply changes, the Manager returns to the Configuration | System | General screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Time and Date

This screen lets you set the time and date on the VPN Concentrator. Setting the correct time is very important so that logging and accounting information is accurate.

Figure 10-3 Configuration | System | General | Time and Date Screen

Screen Elements

•Current Time — The screen shows the current date and time on the VPN Concentrator at the time the screen displays. You can refresh this by redisplaying the screen.

•New Time — The values in the New Time fields are the time and date on the browser PC at the time the screen displays. Any entries you make apply to the VPN Concentrator, however.

In the appropriate fields, make any changes. The fields are, in order: Hour : Minute : Second   Month / Day / Year   Time Zone. Click the drop-down menu buttons to select Month and Time Zone.

The time is military time; that is, it is based on a twenty-four hour clock. (For example, 1:00 PM is 13:00:00.)

The time zone selections are offset relative to GMT (Greenwich Mean Time), which is the basis for Internet time synchronization.

Enter the Year as a four-digit number.

•Enable DST Support — To enable DST support, check this box. During DST (Daylight-Saving Time), clocks are set one hour ahead of standard time. Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time. If your system is in a time zone that uses DST, you must enable DST support.

Reminder:

After you apply changes, the Manager returns to the Configuration | System | General screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Sessions

The VPN Concentrator supports IPSec, PPTP, L2TP/IPSec, and WebVPN sessions, either singly or in combination. This screen lets you limit the number of simultaneous active sessions to fewer sessions than the VPN Concentrator could potentially support. For session limits, the VPN Concentrator treats IPSec, PPTP, and L2TP/IPSec sessions together; the Maximum Active Sessions parameter applies to the them, and the Maximum Active WebVPN Sessions parameter applies to WebVPN sessions.

While it might seem intuitive that lowering the maximum number of one type of session would let the VPN Concentrator support more of the other, that is not how the VPN Concentrator works. Artificially lowering the number of active sessions of either type in fact lowers the capacity of the VPN Concentrator to support both types of sessions. The sections that follow provide examples.

Maximum Active Sessions: WebVPN or IPSec, PPTP and L2TP/IPSec

WebVPN sessions require significantly more VPN Concentrator resources than the other types; therefore, Table 10-1 lists them separately. It is important to recognize this difference when you configure a mixture of WebVPN and other types of secure sessions.

The VPN Concentrator hardware determines the maximum number of sessions supported, which therefore depends on the model. Table 10-1 lists the maximum number of concurrently active WebVPN sessions or IPSec, PPTP, and L2TP/IPSec sessions that each model of the VPN Concentrator permits.

Table 10-1 provides information on WebVPN session limits and throughput by platform. These numbers are based on standard capacity and performance tests that measure the VPN 3000 Concentrator's retrieval of real web pages using WebVPN. Cisco used the following criteria to conduct these performance tests:

•A WebVPN session represents a single, logged-on TLS V1 WebVPN user encrypted with 3DES.

•Each user retrieves a web page at up to every 60 seconds.

•Users log in at the rate of one/second and pass data for the duration of the test.

•The benchmarked, average retrieval time for the web page is less than or equal to 5 seconds.

•The contents of the web page tested include: plain text, .gif files, .jpg files, URLs, and Javascript files.

Table 10-1 Maximum WebVPN or IPSec, PPTP, and L2TP Sessions

VPN Concentrator Model	MB Memory	WebVPN Sessions (No Other Sessions) (Default = Maximum)	IPSec, PPTP & L2TP Sessions (No WebVPN Sessions) (Default = Maximum)	Throughput (Mbs)1
3005	32	10	100	1
3005	64	50	200	1
3015	128	75	100	1.5
3020 with SEP-E	256	200	750	9
3020 with SEP-E	512	200		9
3030 with SEP-E	128	100	1,500	9
3030 with SEP-E	256	200		9
3030 with SEP-E	512	500		9
3060 with SEP-E	256	200	5,000	10.3
3060 with SEP-E	512	500		10.3
3080 with SEP-E	256	200	10,000	10.3
3080 with SEP-E	512	500		10.3

1 These throughput numbers reflect performance measured with web-pages that force the VPN Concentrator to do a lot of processing. Throughput rate with binary data files or files that require less inspection and processing is approximately twice the throughput listed in this column.

Ratios of Sessions: WebVPN to IPSec, PPTP and L2TP/IPSec

The values for maximum active sessions in Table 10-1 imply a ratio of WebVPN to IPSec, PPTP and L2TP/IPSec sessions for each platform. You can use these ratios to plan and administer your network for VPN use.

Be aware that if you change the values for either of the Maximum Sessions parameters, you change the ratio for WebVPN to other sessions on the VPN Concentrator.

Table 10-2 provides examples of how the Maximum Session and Maximum WebVPN Sessions parameters interact for a VPN 3030 Concentrator with maximum memory and SEP-Es.

Table 10-2 Maximum Active Sessions Examples

Platform	Max Active Sessions (IPSec, PPTP, L2TP) setting	Max Active WebVPN sessions setting	Ratio WebVPN: Other sessions	Examples WebVPN: Other sessions	Examples Other sessions: WebVPN sessions
VPN 3030 with SEP-E and 512 MBmemory	1,500 (default)	500 (default)	1:3	50 active WebVPN sessions permits up to 1350 IPSec sessions	1200 active IPSec sessions permits up to 100 WebVPN sessions
	800	100	1:8	50 active WebVPN sessions permits up to 400 IPSec sessions	300 active IPSec sessions permits up to 62 WebVPN sessions
	1,500	50	1:30	10 active WebVPN sessions permits up to 1200 IPSec sessions	800 active IPSec sessions permits up to 23 WebVPN sessions
	1,200	50	1:24	48 active WebVPN sessions permits up to 48 IPSec sessions	800 IPSec sessions permits up to 16 WebVPN sessions
	1,200	50	1:24	50 active WebVPN sessions permits zero IPSec sessions	1200 active IPSec sessions permits zero WebVPN sessions

When the number of active sessions reaches the configured value, the VPN Concentrator permits no further sessions of any type.

Figure 10-4 Configuration | System | General | Sessions Screen

Screen Elements

•Maximum Active Sessions — The maximum number of concurrently active IPSec, PPTP, and LT2P/IPSec active sessions permitted on this VPN Concentrator. The value that displays in this field by default is the maximum number, and Cisco recommends that you accept this value. This parameter lets you limit that number to fewer sessions.

Be aware that when the number of sessions reaches the value set, the VPN Concentrator permits no further sessions of any type. For example, if you set the maximum number of IPSec sessions on a VPN 3005 at 50, with 50 active IPSec sessions, the VPN Concentrator cannot accept even one WebVPN session, or any additional IPSec, PPTP or L2TP/IPSec sessions.

---

Note If you reduce the number of SEPs on the VPN Concentrator while the Concentrator is powered off, and if the new maximum allowed for the model is less than the configured value, when you next turn the VPN Concentrator on, the Maximum Active Sessions parameter is automatically reset to the new maximum for the model.

If you increase the number of SEPS on the VPN Concentrator, you must change the Maximum Active Sessions parameter manually.

---

•Maximum Active WebVPN Sessions — The maximum number of concurrently active WebVPN sessions permitted on this VPN Concentrator. The value that displays in this field by default is the maximum number, and Cisco recommends that you accept this value. This parameter lets you limit that number to fewer sessions.

Be aware that when the number of sessions reaches the value set, the VPN Concentrator permits no further sessions of any type. For example, if you set the maximum number of WebVPN sessions on a VPN 3060 to 95, with 95 active WebVPN sessions, the VPN Concentrator cannot accept even one IPSec session, or any additional WebVPN sessions.

Global Authentication Parameters

By default, the VPN Concentrator authenticates both software clients and VPN 3002 hardware clients on the basis of their username. For a client to connect, you enter a string of characters (in a username field) as identification.

The group lookup feature allows clients to be authenticated on the basis of a group in addition to their username. If this feature is enabled, the VPN Concentrator checks the identification string to see if it contains the configured group delimiter. If the string does contain the configured group delimiter, the VPN Concentrator interprets the characters to the right of the delimiter as the group name. It then authenticates the user on the basis of the tunnel group and applies the parameters of the specified group to the user.

For example, if the user enters the string "JaneDoe#Cisco", the VPN Concentrator interprets JaneDoe as the user, # as the delimiter, and Cisco as the group. It authenticates the user "JaneDoe" on the basis of the tunnel group and applies the Cisco group parameters.

If the string does not contain a group delimiter, the VPN Concentrator considers the entire string to be the username. It validates users on the basis of the username alone, and applies the parameters of the tunnel group to the user.

Figure 10-5 Configuration | System | General | Global Authentication Parameters Screen

Screen Elements

•Enable Group Lookup — Check this box to enable user authentication on the basis of both username and group name. Uncheck the box to disable group lookup.

•Group Delimiter — If you checked the Enable Group Lookup box, click the Group Delimiter drop-down menu and choose one of the following characters to separate the username from the group name in the authentication string: @, #, or !. The default delimiter is: @.

---

Note If you are using the Group Lookup feature and Strip Realm, do not use the @ character for the group delimiter. See the section below, "Strip Realm and Group Lookup," for a full explanation of how the VPN Concentrator interprets delimiters for realms and groups.

---

•Strip Group — Check this box to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box.

You can configure authentication on the basis of username alone by unchecking the Enable Group Lookup box. Checking both the Enable Group Lookup box and Strip Group lets you maintain a database of users with group names appended on your AAA server, and at the same time authenticate users on the basis of their username alone.

Groups and Realms

You can associate users with groups and realms in the following combinations.

Groups

When you append a group name to a username using a delimiter, and enable Group Lookup, the VPN Concentrator interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Realms

A realm is an administrative domain. You can append the realm name to the username for AAA --authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com.

Kerberos Realms

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.

---

Note You can append both the realm and the group to a username, in which case the VPN Concentrator uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the Concentrator cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

---

Strip Realm and Group Lookup

Group Lookup is configurable globally in the present screen, System | General | Global Authentication Parameters. Strip Realm is configurable on a group basis in the General tab of the User Management | Base Group/Groups screens. If you enable Strip Realm, the VPN Concentrator removes the realm from the username before sending a request to an AAA server.

You can use Strip Realm and Group Lookup simultaneously to have the VPN Concentrator ignore the realm and use the values of the group for AAA.

Usernames with Groups and Realms Summary

Table 10-3 shows the credentials the VPN Concentrator uses for authentication according to how you configure a username, strip realm, and group lookup.

Table 10-3 Usernames with Groups and Realms

Username	Strip Realm Setting (@)	Enable Group Lookup Setting (@, #, or !)	Strip Group Setting	Username for Authentication
JaneDoe	No effect	No effect	NA	JaneDoe
JaneDoe@cisco.com	Disabled	Disabled	NA	JaneDoe@cisco.com
JaneDoe@cisco.com	Disabled	Enabled using @	Checked	JaneDoe group = cisco.com
JaneDoe@cisco.com	Disabled	Enabled using @	Unchecked	JaneDoe@cisco.com group = cisco.com
JaneDoe@cisco.com	Enabled	Disabled	NA	JaneDoe
JaneDoe@cisco.com#VPNGroup	Disabled	Disabled	NA	JaneDoe@cisco.com#VPNGroup
JaneDoe@cisco.com#VPNGroup	Enabled	Disabled	NA	JaneDoe
JaneDoe@cisco.com#VPNGroup	Disabled	Enabled using # or !	Checked	JaneDoe@cisco.com group = VPNGroup
JaneDoe@cisco.com#VPNGroup	Disabled	Enabled using # or !	Unchecked	JaneDoe@cisco.com#VPNGroup group = VPNGroup
JaneDoe@cisco.com#VPNGroup This case is practical only if you have a group that contains the # character.	Enabled	Enabled using # or !	Checked	JaneDoe group = VPNGroup
JaneDoe@cisco.com#VPNGroup	Enabled	Enabled using # o r!	Unchecked	JaneDoe#VPNGroup group = VPNGroup
JaneDoe@Group or Realm	Enabled	Enabled using @	NA	Unsupported
JaneDoe@cisco.com@VPNGroup	Enabled	Enabled using @	NA	Unsupported

---

Note In addition to the realm and the group, the username may include a Windows domain. The domain is prepended to the username, and the valid delimiter is the \ character. The format is domain\username[@realm][#group], for example domain\JaneDoe. You would include a domain in corporate environments that have multiple Microsoft domains, and that require the domain for authentication.

---

Associating Users with Different Groups for Authentication

When you configure a VPN Client or a VPN 3002, you assign it to a group on the VPN Concentrator to which it connects. This is the tunnel group to which the client belongs. The attributes of the tunnel group determine how the client authenticates.

For authentication, you can associate users behind a VPN Concentrator or VPN 3002 with a group other than the tunnel group. You accomplish this by embedding a different group name within the username. To embed this second group name, you configure and use a delimiter, (@, #, or !) that associates the second group with the user. The format to use is username<delimiter>groupname, for example, UserA#bluegroup.

When you embed a group name within a username:

•An individual user authenticates according to the priority order of the authentication servers you configure for the group embedded within its username.

•If you use external authentication servers, you have the flexibility of storing usernames and passwords for the VPN Concentrator or VPN 3002 on one server, and those for individual users behind the VPN Concentrator or VPN 3002 on another server or servers.

•Users behind the same VPN Concentrator or VPN 3002 can authenticate to different external servers. You configure this by embedding different groups for various users. For example, UserA#bluegroup might authenticate to a RADIUS server, while UserD#greengroup authenticates to an SDI server, or to a different RADIUS server.

---

Note The VPN 3002 always gets settings for interactive hardware client authentication from the tunnel group, not the embedded group.

---

Table 10-4 summarizes how UserA, UserB, and UserC connect to the central site through a VPN Concentrator or VPN 3002.

Table 10-4 Example: How Authentication Servers Work Using Embedded Groups

Username	Tunnel Group	Embedded Group	Authentication Server for the VPN Concentrator or VPN 3002	Authentication Server for the Individual User
UserA	bluegroup	None	An authentication server configured for bluegroup.	User A uses an authentication server configured for bluegroup.
UserB#redgroup	bluegroup	redgroup	An authentication server configured for bluegroup.	User B uses an authentication server configured for redgroup.
UserC#greengroup	bluegroup	greengroup	An authentication server configured for bluegroup	The VPN 3002 authenticates using an authentication server configured for greengroup.