Table Of Contents
User Management
Users, Groups, and Base Groups
Authentication Server Limits
Working With Users and Groups
Tunnel Groups and Inheritance
Configuration | User Management
Base Group
Using the Tabs
Base Group | General Tab
Screen Elements
Base Group | IPSec Tab
Screen Elements
Base Group | Client Config Tab
About IPSec over UDP
About IPSec Backup Servers
Configuring Backup Servers from the Cisco VPN Client
About Browser Proxies for Internet Explorer on Windows
About Split Tunneling Policy
Screen Samples
Screen Elements
Base Group | Client FW Tab
Screen Elements
Base Group | HW Client Tab
Screen Elements
About Interactive Hardware Client Authentication
Enabling and Later Disabling Interactive Hardware Client Authentication
About Individual User Authentication
Backup Servers with Interactive Hardware Client and Individual User Authentication
Accounting with Interactive Hardware Client and Individual User Authentication
About LEAP Bypass
LEAP Bypass for the VPN 3002
Summary of VPN 3002 Authentication Features
Base Group | PPTP/L2TP Tab
Screen Elements
Base Group | WebVPN Tab
WebVPN Parameters
Screen Elements
About Outlook/Exchange Proxy Support (MAPI)
Content Filter Parameters
Screen Elements
WebVPN ACLs
ACL Syntax
Base Group | NAC Tab
Screen Elements
Groups
Screen Elements
Groups | Add or Modify (Internal)
Using the Tabs
Groups | Identity Tab
Screen Elements
Groups | General Tab
Screen Elements
Note on DNS and WINS Entries
Groups | IPSec Tab
Screen Elements
Groups | Client Config Tab
Screen Elements
Groups | Client FW Tab
Screen Elements
Groups | HW Client Tab
Screen Elements
Groups | PPTP/L2TP Tab
Screen Elements
Groups | WebVPN Tab
Screen Elements
Groups | NAC Tab
Screen Elements
Groups | Modify (External)
Screen Elements
Groups | Authentication Servers
Screen Elements
Groups | Authentication Servers | Add or Modify
Server Type = RADIUS
Screen Elements
Server Type = NT Domain
Screen Elements
Server Type = SDI
About SDI Version pre-5.0
About SDI Version 5.0
Screen Elements
Server Type = Kerberos/Active Directory
Screen Elements
Groups | Authentication Servers | Test
Screen Elements
Authentication Server Test: Success
Authentication Server Test: Authentication Rejected Error
Authentication Server Test: Authentication Error
Groups | Authorization Servers
Screen Elements
Groups | Authorization Servers | Add or Modify
Server Type = RADIUS
Screen Elements
Server Type = LDAP
Screen Elements
Groups | Authorization Servers | Test
Screen Elements
Authorization Server Test: Success
Authorization Server Test: Authorization Rejected Error
Authorization Server Test: Authorization Error
Groups | Accounting Servers
Screen Elements
Groups | Accounting Servers | Add or Modify
Screen Elements
Groups | Address Pools
Screen Elements
Groups | Address Pools | Add or Modify
Screen Elements
Groups | Client Update
Screen Elements
Groups | Client Update | Add or Modify
Screen Elements
Groups | Bandwidth Policy
Groups | Bandwidth Policy | Interfaces
Screen Elements
Groups | WebVPN Servers and URLs
Screen Elements
Groups | WebVPN Servers and URLs | Add or Modify
Screen Elements
Groups | WebVPN Port Forwarding
Screen Elements
Groups | WebVPN Port Forwarding | Add or Modify
Using Hostnames vs. IP Addresses
Screen Elements
The WebVPN Application Access Window
Application Access Window Fields
About the Hosts File
Users
Screen Elements
Users | Add or Modify
Using the Tabs
Users | Identity Tab
Screen Elements
Users | General Tab
Screen Elements
Users | IPSec Tab
Screen Elements
Users | PPTP/L2TP Tab
Screen Elements
User Management
Users, Groups, and Base Groups
Groups and users are core concepts in managing the security of VPNs and in configuring the VPN Concentrator. Groups and users have attributes, configured via parameters, that determine their access to and use of the VPN. Users are members of groups, and groups are members of the base group. If you do not assign a user to a particular group, that user is by default a member of the base group. This section of the Manager lets you configure those parameters.
Groups simplify system management. To streamline the configuration task, the VPN Concentrator provides a base group that you configure first. The base-group parameters are those that are most likely to be common across all groups and users. As you configure a group, you can simply specify that it "inherit" parameters from the base group; and a user can also "inherit" parameters from a group. Thus you can quickly configure authentication for large numbers of users.
Of course, if you decide to grant identical rights to all VPN users, then you do not need to configure specific groups. But VPNs are seldom managed that way. For example, you might allow a Finance group to access one part of a private network, a Customer Support group to access another part, and an MIS group to access other parts. Further, you might allow specific users within MIS to access systems that other MIS users cannot access.
Authentication Server Limits
You can configure detailed parameters for groups and users on the VPN Concentrator internal authentication server. External RADIUS authentication servers also can return group and user parameters that match those on the VPN Concentrator; other authentication servers do not; they can, however, authenticate users.
The VPN 3000 software CD-ROM includes a link that customers with CCO logins can use to access an evaluation copy of the CiscoSecure ACS RADIUS authentication server. The VPN 3000 software CD-ROM also has current VPN 3000 VSA registry files that let customers load new supported attributes on their ACS server, and provides instructions for using them.
The VPN Concentrator internal authentication server is adequate for a small user base. The maximum number of groups and users (combined) that you can configure in the internal server depends on your VPN Concentrator model. (See Table 13-1.) For larger numbers of users, we recommend using the internal server to configure groups (and perhaps a few users) and using an external authentication server (RADIUS, NT Domain, SDI) to authenticate the users.
Table 13-1 Maximum Number of Groups and Users for the Internal Authentication Server
VPN Concentrator Model
|
Maximum Number of Groups and Users (Combined)
|
3005
|
100
|
3015
|
100
|
3020
|
250
|
3030
|
500
|
3060
|
1000
|
3080
|
1000
|
The VPN Concentrator checks authentication parameters in this order:
1. 
User parameters. If any parameters are missing, the system looks at:
2. Group parameters. If any parameters are missing, the system looks at:
3. For IPSec users only: IPSec tunnel-group parameters. These are the parameters of the IPSec group used to create the tunnel. The IPSec group is configured on the internal server or on an external RADIUS server. If any parameters are missing, the system looks at base group parameters. For VPN 3002 Hardware Client parameters, which enable or disable interactive hardware client authentication and individual user authentication, the IPSec tunnel group parameters take precedence over parameters set for users and groups.
4. Base-group parameters.
If you use a non-RADIUS server, only the IPSec tunnel-group or base-group parameters apply to users.
Working With Users and Groups
Some additional points to note:
•Base-group parameters are the default, or system-wide, parameters.
•A user can be a member of only one group.
•A user that is not a member of a group can nevertheless assume attributes from that group if you join the groupname to the username using a delimiter. See System | General | Global Authentication Parameters for information on how to select and use a delimiter.
•Users who are not members of a specific group are, by default, members of the base group. Therefore, to ensure maximum security and control, you should assign all users to appropriate groups, and you should configure base-group parameters carefully.
•You can change group parameters, thereby changing parameters for all its members at the same time.
•You can delete a group, but when you do, all its members revert to the base group. Deleting a group, however, does not delete its members' user profiles.
•You can override the base-group parameters when you configure groups and users, and give groups and users more or fewer rights with this exception:
For PPTP and L2TP authentication protocols, you can allow specific groups and users to use fewer protocols than the base group, but not more.
For all other parameters, groups' and users' rights can be greater than the base group. For example, you can give a specific user 24-hour access to the VPN, but give the base group access during business hours only.
•You apply filters to groups and users, and thus govern tunneled data traffic through the VPN Concentrator. You also apply filters to network interfaces, and thus govern all data traffic through the VPN Concentrator. See the Policy Management | Traffic Management screens.
•We can supply a "dictionary" of Cisco-specific user and group parameters for external RADIUS servers.
We recommend that you define groups when planning your VPN, and that you configure groups and users on the VPN Concentrator in this order:
1. Base-group parameters.
2. Group parameters.
3. User parameters.
Before configuring groups and users, you should configure system policies, including network lists, access hours, filters, rules, and IPSec security associations (see Configuration | Policy Management).
In addition to configuring groups and users, you also need to configure authentication servers-- specifically the internal authentication server (see Configuration | System | Servers). You can specify authentication servers globally or per group.
Tunnel Groups and Inheritance
In certain cases, attributes are not inherited from the base group if the Inherit checkbox is selected. This occurs when users connect with the VPN Client using one particular group (referred to as a tunnel group), and an authentication server (such as a RADIUS server) assigns them to another group (referred to as a user group).
In this scenario, if the user group is set to inherit attributes, the attributes are inherited from the tunnel group first. If the tunnel group is also set to inherit attributes, it then inherits attributes from the base group.
If the tunnel group is not set to inherit attributes, the user group's inherited attributes will come from the tunnel group. This may not match expected behavior for the configured user group.
Configuration | User Management
This section of the Manager lets you configure base-group, group, and individual user parameters. These parameters determine access and use of the VPN Concentrator.
Figure 13-1 Configuration | User Management Screen
Base Group
This Manager screen lets you configure the default, or base-group, parameters. Base-group parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this base group, and users can "inherit" parameters from their group or the base group. You can override these parameters as you configure groups and users. Users who are not members of a group are, by default, members of the base group.
On this screen, you configure the following kinds of parameters:
•General (Base Group | General Tab): Security, access, performance, and protocols.
•IPSec (Base Group | IPSec Tab): IP Security tunneling protocol.
•Client Config (Base Group | Client Config Tab): Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers.
•Client FW (Base Group | Client FW Tab): VPN Client personal firewall requirements.
•HW Client (Base Group | HW Client Tab): Interactive hardware client and individual user authentication; network extension mode.
•PPTP/L2TP (Base Group | PPTP/L2TP Tab): PPTP and L2TP tunneling protocols.
•WebVPN (Base Group | WebVPN Tab): SSL VPN access.
•NAC (Base Group | NAC Tab): Peer posture validation settings for Network Admission Control.
Before configuring these parameters, you should configure:
•Access Hours (Policy Management | Access Hours).
•Rules and filters (Policy Management | Traffic Management | Rules and | Filters).
•IPSec Security Associations (Policy Management | Traffic Management | Security Associations).
•Network Lists for filtering and split tunneling (Policy Management | Traffic Management | Network Lists).
•User Authentication servers, and specifically the internal authentication server (System | Servers | Authentication).
Using the Tabs
This screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel.
Base Group | General Tab
This tab lets you configure general security, access, performance, and protocol parameters that apply to the base group.
Figure 13-2 Configuration | User Management | Base Group Screen, General Tab
Screen Elements
•Access Hours — Click this drop-down menu button and select the named hours when remote-access users can access the VPN Concentrator. Configure access hours on the Policy Management | Access Hours screen. Default entries are:
–-No Restrictions- = No named access hours applied (the default), which means that there are no restrictions on access hours.
–Never = No access at any time.
–Business Hours = Access 9 a.m. to 5 p.m., Monday through Friday.
Additional named access hours that you have configured also appear on the list.
•Simultaneous Logins — Enter the number of simultaneous logins permitted for a single internal user. The minimum is 0, which disables login and prevents user access; default is 3. While there is no maximum limit, allowing several could compromise security and affect performance.
•Minimum Password Length — Enter the minimum number of characters for user passwords. The minimum is 1, the default is 8, and the maximum is 32. For security we strongly recommend 8 or higher.
•Allow Alphabetic-Only Passwords — Check this box to allow user passwords with alphabetic characters only (the default). This option applies only to users who are configured in and authenticated by the VPN Concentrator internal authentication server. To protect security, we strongly recommend that you not allow such passwords. Require passwords to be a mix of alphabetic characters, numbers, and symbols, such as 648e&9G#.
•Idle Timeout — Enter the idle timeout period in minutes. If there is no communication activity on a connection in this period, the system terminates the connection. The minimum is 1 minute, the default is 30 minutes, and the maximum is 10080 minutes. To disable timeout and allow an unlimited idle period, enter 0 (zero).
Note This value applies to WebVPN users unless you set it to 0 (zero). In that case, the WebVPN Default Idle Timeout set in Tunneling and Security | WebVPN | HTTP/HTTPS Proxy applies.
We recommend that you set a short idle-timeout value for WebVPN users. This is because when a browser is set to disable cookies, or prompts for cookies but denies them, users do not connect, but they still appear in the Administration | Administer Sessions | RAS database. If Simultaneous Logins (User Management | Base Group | General Tab or Groups | General Tab) is set to one, the user can't log in again because the maximum number of connections already exists. If you set a low idle timeout for WebVPN users, these cookies are deleted quickly, letting a user reconnect.
Note This parameter does not apply to individual users behind a VPN 3002 as they authenticate to the remote network. The Users Idle Timeout value set in the User Management | Base Group | HW Client Tab or Groups | HW Client Tab screen is the timeout value that applies.
•Maximum Connect Time — Enter the maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, enter 0 (the default).
Note If pop-ups are disabled on the browser, WebVPN will not warn the user before disconnecting due to idle timeout or maximum connect time.
•Filter — Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration | Policy Management | Traffic Management screens.
Click the Filter drop-down menu button and select the base-group filter:
–--None-- = No filter applied, which means there are no restrictions on tunneled data traffic. This is the default selection.
–Private (Default) = Allow all packets except source-routed IP packets. (This is the default filter for the private Ethernet interface.)
–Public (Default) = Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. (This is the default filter for the public Ethernet interface.)
–External (Default) = No rules applied to this filter. Drop all packets. (This is the default filter for the external Ethernet interface.)
Additional filters that you have configured also appear on the list.
•Primary DNS — Enter the IP address of the primary DNS server for base-group users. The system sends this address to the client as the first DNS server to use for resolving host names. If the base group does not use DNS, leave this field blank. See the Note on DNS and WINS entries section under User Management | Groups | Add or Modify (Internal).
Note WebVPN users get their DNS information from the DNS servers you configure globally in the System | Servers | DNS screen. They do not get DNS information from the Base Group or Group settings.
•Secondary DNS — Enter the IP address of the secondary DNS server for base-group users. The system sends this address to the client as the second DNS server to use for resolving host names.
•Primary WINS — Enter the IP address of the primary WINS server for base-group users. The system sends this address to the client as the first WINS server to use for resolving host names under Windows NT. If the base group does not use WINS, leave this field blank. (See the <Emphasis>Note on DNS and WINS Entries on page 13-53).
•Secondary WINS — Enter the IP address of the secondary WINS server for base-group users. The system sends this address to the client as the second WINS server to use for resolving host names under Windows NT.
•SEP Card Assignment — Check this box to assign this user to a given SEP or SEP-E module. By default, all boxes are checked, and we recommend that you keep the default. If your system does not have a given SEP or SEP-E module, the parameter is ignored.
The VPN Concentrator can contain up to four Scalable Encryption Processing (SEP) or SEP-E (Enhanced SEP) modules that handle encryption functions, which are compute-intensive. This parameter lets you configure the load on each SEP or SEP-E module.
•Tunneling Protocols — Check the desired Tunneling Protocols boxes to select the VPN tunneling protocols that users in this group can use. Configure parameters on the IPSec or PPTP/L2TP tabs as appropriate. Clients can use only the selected protocols.
You cannot check both IPSec and L2TP over IPsec. The IPSec parameters differ for these two protocols, and you cannot configure the base group (or group, or a single user) for both.
–PPTP = Point-to-Point Tunneling Protocol (checked by default). PPTP is a client-server protocol, and it is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0, 2000, and XP.
–L2TP = Layer 2 Tunneling Protocol (checked by default). L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding).
–IPSec = IP Security Protocol (checked by default). IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN Client is an IPSec client specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.
–L2TP over IPSec = L2TP using IPSec for security (unchecked by default). L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer for security. L2TP over IPSec is a client-server protocol that provides interoperability with the Windows 2000 VPN client. It is also compliant, but not officially supported, with other remote-access clients.
–WebVPN = VPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.
Note If no protocol is selected, no user clients can access or use the VPN.
•Strip Realm — Check this box to remove the realm qualifier of the username during authentication. If you check this Strip Realm box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.
Note If you are using the Group Lookup feature and Strip Realm, do not use the @ character for the group delimiter. See System | General | Global Authentication Parameters for a full explanation of how the VPN Concentrator interprets delimiters with respect to realms and groups.
•DHCP Network Scope — To use this feature, the VPN Concentrator must be using a DHCP server for address assignment. To configure a DHCP server, see the System | Servers | DHCP screen.
Enter the IP sub-network that the DHCP server should assign to users in this group, for example: 200.0.0.0. The DHCP Network Scope indicates to the DHCP server the range of IP addresses from which to assign addresses to users in this group.
Enter 0.0.0.0 for the default; by default, the DHCP server assigns addresses to the IP sub-network of the VPN Concentrator's private interface.
Base Group | IPSec Tab
This tab lets you configure IP Security Protocol parameters that apply to the base group. If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the User Management | Base Group | General Tab, configure this section.
Four parameters on this tab apply to WebVPN users in the base group that authenticate with digital certificates: Authentication, Authorization Type, Authorization Required, and DN Field.
Figure 13-3 Configuration | User Management | Base Group Screen, IPSec Tab
Screen Elements
•IPSec SA — Click this drop-down menu button and select the IPSec Security Association (SA) assigned to IPSec clients. During tunnel establishment, the client and server negotiate an SA that governs authentication, encryption, encapsulation, key management, etc. You configure IPSec SAs on the Policy Management | Traffic Management | Security Associations screens.
To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections, the system ignores this selection and uses parameters from the Tunneling and Security | IPSec | LAN-to-LAN screens.
The VPN Concentrator supplies several default selections. Refer to the table below for an explanation of each default SA.
Table 13-2 Default IPSec Security Associations
Security Association
|
Encryption
|
Authentication
|
IKE Tunnel
|
IPSec Traffic
|
IKE Tunnel
|
IPSec Traffic
|
ESP-DES-MD5
|
DES 56-bit
|
DES 56-bit
|
MD5/HMAC-128
|
ESP/MD5/HMAC-128
|
ESP-3DES-MD51
|
DES 56-bit
|
3DES 168-bit
|
MD5/HMAC-128
|
ESP/MD5/HMAC-128
|
ESP/IKE-3DES-MD5
|
3DES 168-bit
|
3DES 168-bit
|
MD5/HMAC-128
|
ESP/MD5/HMAC-128
|
ESP-3DES-NONE
|
DES 56-bit
|
3DES 168-bit
|
MD5/HMAC-128
|
none
|
ESP-L2TP-TRANSPORT
|
3DES 168-bit
|
DES 56-bit
|
MD5/HMAC-128
|
ESP/MD5/HMAC-1282
|
ESP-3DES-MD5-DH7
|
3DES 168-bit
|
3DES 168-bit
|
MD5/HMAC-128
|
ESP/MD5/HMAC-128
|
ESP-3DES-MD5-DH5
|
3DES 168-bit
|
3DES 168-bit
|
MD5/HMAC-128
|
ESP/MD5/HMAC-128
|
ESP-AES128-SHA
|
AES 128-bit
|
AES 128-bit
|
SHA/HMAC-128
|
ESP/SHA/HMAC-128
|
Additional notes:
–--None-- = No SA assigned. Select this option if you need to configure groups with several different SAs.
–ESP-L2TP-TRANSPORT = Use this SA with the L2TP over IPSec tunneling protocol.
–ESP-3DES-MD5-DH7 = This SA uses Diffie-Hellman Group 7 (ECC) to negotiate Perfect Forward Secrecy. This option is intended for use with the MovianVPN client, but you can use it with other clients that support Diffie-Hellman Group 7 (ECC).
–ESP-3DES-MD5-DH5 = This SA uses Diffie-Hellman Group 5 to negotiate Perfect Forward Secrecy.
Additional SAs that you have configured also appear on the list.
•IKE Peer Identity Validation — Click this drop-down menu button, and select the type of peer identity validation.
–Required = Enable the IKE peer identity validation feature. If a peer's certificate does not provide sufficient information to perform an identity check, drop the tunnel.
–If supported by certificate = Enable the IKE peer identity validation feature. If a peer's certificate does not provide sufficient information to perform an identity check, allow the tunnel.
–Do not check = Do not check the peer's identity at all. Selecting this option disables the feature.
Note This option applies only to tunnel negotiations based on certificates.
During IKE tunnel establishment, the peer provides its identity: either an IP address, a fully qualified domain name (FQDN), or a distinguished name (DN). It also presents a certificate, which contains none, some, or all of these fields. If IKE peer identity validation is enabled, the VPN Concentrator compares the peer's identity to the like field in the certificate to see if the information matches. If the information matches, then the peer's identity is validated and the VPN Concentrator establishes the tunnel. If the information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional level of security.
IKE Peer Identity Validation can be useful for binding a peer to a particular IP address or domain name. For example, if the IP address that the peer provided as an identification during tunnel establishment does not match the IP address in its certificate, the VPN Concentrator fails to validate the peer and drops the tunnel.
Ideally all the VPN Concentrator peers are configured to provide matching types of identity and certificate fields. In this case, enabling Peer Identity Validation ensures that the VPN Concentrator checks the validity of every peer, and only validated peers connect. But in actuality, some peers might not be configured to provide this data. The peer provides a certificate, but that certificate might not contain any of the matching fields required for an identity check. (For example, the peer might provide an IP address for its identity and its certificate might contain only a distinguished name.) If a peer does not provide sufficient information for the VPN Concentrator to check its identity, there are two possibilities: the VPN Concentrator either establishes the session or drops it. If you want the VPN Concentrator to drop sessions of peers that do no provide sufficient information to perform an identity check, choose Required. If you want the VPN Concentrator to establish sessions for peers that do not provide sufficient identity information to perform a check, select If supported by certificate.
•IKE Keepalives — Check this box to enable IKE keepalives. (This is checked by default.) This feature lets the VPN Concentrator monitor the continued presence of a remote peer and to report its own presence to that peer. If the peer becomes unresponsive, the VPN Concentrator removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.
There are various forms of IKE keepalives. For this feature to work, both the VPN Concentrator and its remote peer must support a common form. This feature works with the following peers:
–Cisco VPN Client (Release 3.0 and above)
–Cisco VPN 3000 Client (Release 2.x)
–Cisco VPN 3002 Hardware Client
–Cisco VPN 3000 Series Concentrators
–Cisco IOS software
–Cisco Secure PIX Firewall
Non-Cisco VPN clients do not support IKE keepalives.
If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.
If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend you keep your idle timeout short. To change your idle timeout, see the User Management | Base Group | General Tab.
Note To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalives mechanism prevents connections from idling and therefore from disconnecting.
If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.
Note If you have a LAN-to-LAN configuration using IKE main mode, make sure the two peers have the same IKE keepalives configuration: both must have IKE keepalives enabled or both must have it disabled.
•Confidence Interval — Enter the number of seconds the VPN Concentrator should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a LAN-to-LAN group is 10 seconds. The default for a remote access group is 300 seconds.
This field applies only to Easy VPN compliant clients that are using IKE Keepalives. Easy VPN compliant clients are:
–Cisco VPN 3002 Hardware Client
–Cisco Easy VPN Client for IOS Routers
–PIX 501/506 Easy VPN Remote Hardware Client
•Tunnel Type — Select the type of IPSec tunnel that clients use:
–LAN-to-LAN = IPSec LAN-to-LAN connections between two VPN Concentrators (or between a VPN Concentrator and another protocol-compliant security gateway). See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN section. If you select this type, ignore the rest of the parameters on this tab.
–Remote Access = Remote IPSec client connections to the VPN Concentrator (the default). If you select this type, configure Remote Access Parameters.
•Remote Access Parameters — These base-group parameters apply to remote-access IPSec client connections only. If you select Remote Access for Tunnel Type, configure these parameters.
•Group Lock — Check this box to restrict users to remote access through this group only. Group Lock restricts users by checking if the group configured in the VPN client is the same as the user's assigned group. If it is not, the VPN Concentrator prevents the user from connecting.
If this box is unchecked (the default), the system authenticates a user without regard to the user's assigned group.
•Authentication — Select the authentication method (authentication server type) to use with this group's remote-access IPSec clients. Both VPN Clients and VPN 3002 Hardware Clients authenticate on the first server of the type you configure.
Whenever a VPN software or VPN 3002 Hardware Client attempts a tunneled connection to a network behind a VPN Concentrator, that client is authenticated by means of a username and password. This authentication occurs when the tunnel initiates, and is the authentication type for interactive hardware client authentication for the VPN 3002. This parameter does not apply to individual user authentication for the VPN 3002.
This selection identifies the authentication method, not the specific server. Configure authentication servers on the System | Servers | Authentication screens or User Management | Groups | Authentication Servers screens.
For the VPN 3002, this selection applies to authentication using a saved username and password and to interactive hardware client authentication. Individual users behind the VPN 3002 authenticate according to the priority order of all authentication servers configured, regardless of type. For more information on the different ways in which a VPN 3002 can authenticate, see User Management | Base Group | HW Client Tab.
WebVPN users authenticating with digital certificates use an authorization server for authentication. For these users, set the value in this Authentication field to None.
Note To configure user-based authentication for VPN Clients, choose an Authentication method, then follow the additional steps outlined under Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy. You do this in all cases, regardless of whether you enable interactive hardware client authentication or individual user authentication.
Selecting any authentication method (other than None) enables ISAKMP Extended Authentication, also known as XAUTH.
–None = No IPSec user authentication method. If you checked L2TP over IPSec under Tunneling Protocols, use this selection. If WebVPN users in the base group authenticate with digital certificates, select None in this screen because these users authenticate using an Authorization server.
–RADIUS = Authenticate clients via external RADIUS server.
–RADIUS with Expiry = Authenticate clients via external RADIUS server. If the password has expired, notify the client and offer the opportunity to create a new password.
–NT Domain = Authenticate clients via external Windows NT Domain system.
–SDI = Authenticate clients via external RSA Security Inc. SecureID system.
–Kerberos/Active Directory = Authenticate users via an external Windows Active Directory or a UNIX/Linux Kerberos server.
–Internal = Authenticate clients via the internal VPN Concentrator authentication server. This is the default selection.
Enabling RADIUS with Expiry lets the VPN Concentrator use MS-CHAP-v2 when authenticating an IPSec client to an external RADIUS server. That RADIUS server must support both MS-CHAP-v2 and the Microsoft Vendor Specific Attributes. Refer to the documentation for your RADIUS server to verify that it supports these capabilities.
With MS-CHAP-v2, when you enable RADIUS with Expiry on the VPN Concentrator, the VPN Concentrator can provide enhanced login failure messages to the VPN Client describing specific error conditions. These conditions are:
–Restricted login hours.
–Account disabled.
–No dial-in permission.
–Error changing password.
–Authentication failure.
Note For RADIUS with Expiry to work with a VPN 3002, the VPN 3002 must have the Require Interactive Hardware Client Authentication feature enabled.
•Authorization Type — This field applies to IPSec users and to WebVPN users that authenticate with digital certificates. These WebVPN users use an Authorization server for authentication.
Select an authorization type.
–None = Do not authorize users in this group.
–RADIUS = Use an external RADIUS authorization server to authorize users in this group.
–LDAP = Use an external LDAP authorization server to authorize users in this group.
•Authorization Required — If you are using authorization, you can make it mandatory or optional. Check this box if you want to require users to authorize successfully to connect. If authorization fails for any reason (including the user's inability to access the authorization server), the connection fails.
If you do not want a connection to depend on authorization, make authorization optional. To make authorization optional, uncheck this box. In this case, if authorization fails, the VPN Concentrator notes the failure in the log and allows the connection to continue.
Check this box for WebVPN users that authenticate with digital certificates.
•DN Field — If IPSec or WebVPN users in this group are authenticating by means of digital certificates and require LDAP or RADIUS authorization, choose a field from the certificate to identify the user to the authorization server.
For example, if you choose E-mail Address, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an email address of johndoe@cisco.com cannot authenticate as John Doe or as johndoe. He must authenticate as johndoe@cisco.com.
The "CN otherwise OU" option specifies that if there is a CN (Common Name) field in the certificate, use the CN field. If there is not a CN field in the certificate, use the OU (Organizational Unit) field.
•IPComp — If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Click the IPComp drop-down menu button to enable data compression using IPComp.
–None = No data compression.
–LZS = Enable data compression using the LZS compression algorithm.
Caution Data compression increases the memory requirement and CPU utilization for each user session and consequently decreases the overall throughput of the VPN Concentrator. For this reason,
we recommend that you enable data compression only if every member of the group is a remote user connecting with a modem. If any members of the group connect via broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.
•Default Preshared Key — Enter the preshared secret. Use a minimum of four and a maximum of 32 alphanumeric characters.
This option allows the following VPN clients to connect to the VPN Concentrator:
–VPN clients that use pre-shared secrets but do not support the concept of a "group," such as the Microsoft Windows XP L2TP/IPSec client.
–VPN router devices that are creating inbound connections from non-fixed IP addresses using pre-shared secrets.
•Reauthentication on Rekey — Check this box to enable reauthentication, or uncheck the box to disable it.
If you have enabled the Reauthentication on Rekey feature, the VPN Concentrator prompts the user to enter an ID and password during Phase 1 IKE negotiation and also prompts for user authentication whenever a rekey occurs. Reauthentication provides additional security.
If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. In this case, disable reauthentication. To check your VPN Concentrator's configured rekey interval, see the Lifetime Measurement, Data Lifetime, and Time Lifetime fields on the Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy screen.
Note At 85% of the rekey interval, the Cisco VPN Client prompts the user to reauthenticate. If the user does not respond within approximately 90 seconds, the VPN Concentrator drops the connection.
•Client Type & Version Limiting — Construct rules to permit or deny VPN Clients according to their type and software version. Construct these rules exactly, using the formats, abbreviations, and other rule specifications defined below.
–Construct rules in the format p[ermit]/d[eny] <type> : <version>, for example, d VPN 3002 : 3.6* .
–The * character is a wildcard. You can use it multiple times in each rule. For example:
deny *:3.6* = Deny all clients running software version 3.6x.
–Use a separate line for each rule.
–Order rules by priority. The first rule that matches is the rule that applies. If a later rule contradicts, the system ignores it. If you do not define any rules, all connections are permitted.
–When a client matches none of the rules, the connection is denied. This means that if you define a deny rule, you must also define at least one permit rule, or all connections are denied.
–For both software and hardware clients, client type and software version must match (case insensitive) their appearance in the Monitoring | Sessions screen, including spaces. We recommend that you copy and paste from that screen to this one.
–Use "n/a" for either the type or the version to identify information the client does not send. For example: permit n/a:n/a = Permit any client that does not send the client type and version.
–You can use a total of 255 characters for rules. The newline between rules uses two characters. To conserve characters, use p for permit and d for deny. Eliminate spaces except as required for client type and version. You do not need a space before or after the colon (:).
•Mode Configuration — Check this box to use Mode Configuration with IPSec clients (also known as the ISAKMP Configuration Method or Configuration Transaction). This option exchanges configuration parameters with the client while negotiating SAs. If you check this box, configure the desired Mode Configuration Parameters; otherwise, ignore them. The box is checked by default.
To use split tunneling, you must check this box.
If you checked L2TP over IPSec under Tunneling Protocols, do not check this box.
Note IPSec uses Mode Configuration to pass all configuration parameters to a client: IP address, DNS and WINS addresses, etc. You must check this box to use Mode Configuration. Otherwise, those parameters—even if configured with entries—are not passed to the client.
Note The Cisco VPN Client (IPSec client) supports Mode Configuration, but other IPSec clients might not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) Determine compatibility before using this option with other vendors' clients. While this function might work with other clients, Cisco does not certify or formally support this environment for other clients.
Base Group | Client Config Tab
These base-group parameters apply to IPSec clients.
About IPSec over UDP
IPSec over UDP, sometimes called IPSec through NAT, lets you use the Cisco VPN Client or VPN 3002 hardware client to connect to the VPN Concentrator via UDP through a firewall or router that is running NAT. This feature is proprietary, it applies only to remote-access connections, and it requires Mode Configuration. Using this feature might slightly degrade system performance.
Enabling this feature creates runtime filter rules that forward UDP traffic for the configured port even if other filter rules on the interface drop UDP traffic. These runtime rules exist only while there is an active IPSec through NAT session. The system passes inbound traffic to IPSec for decryption and unencapsulation, and then passes it to the destination. The system passes outbound traffic to IPSec for encryption and encapsulation, applies a UDP header, and forwards it.
You can configure more than one group with this feature enabled, and each group can use a different port number. Port numbers must be in the 4001 through 49151 range, which is a subset of the IANA Registered Ports range.
The Cisco VPN Client must also be configured to use this feature (it is configured to use it by default). The VPN Client Connection Status dialog box indicates if the feature is being used. Refer to the VPN Client User Guide.
The VPN 3002 hardware client does not require configuration to use IPSec through NAT.
The Administration | Sessions and Monitoring | Sessions screens indicate if a session is using IPSec through NAT, and the Detail screens show the UDP port.
Note The following restrictions apply to multiple simultaneous connections using IPSec over UDP:
Multiple simultaneous connections from VPN Client or VPN 3002 hardware client users behind a PAT (Port Address Translation) device can work, but only if the PAT device assigns a unique source port for each simultaneous user.
Some PAT devices use UDP source port = 500 for all IKE sessions, even if there are multiple sessions. This allows only one session at a time; the second connection brought up from behind this type of PAT device causes the first session to be torn down. (This is unrelated to whether or not a PAT device supports "ESP" PAT, or if you are using the IPSec UDP function.)
Therefore, for multiple simultaneous IPSec over UDP connections, use a PAT device that maps each additional session to use unique UDP source ports. Alternatively, connect additional users to different destination VPN Concentrators.
About IPSec Backup Servers
IPSec backup servers let a VPN 3002 Hardware Client or a Cisco VPN Client connect to the central site when its primary central-site VPN Concentrator is unavailable. Configure backup servers either on the client or on the primary central-site VPN Concentrator. If you configure backup servers on the central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the clients in the group.
By default the policy is to use the backup server list configured on the client. Alternatively, the VPN Concentrator can push a policy that supplies a list of backup servers in order of priority (replacing the backup server list on the client if one is configured), or it can disable the feature and clear the backup server list on the client if one is configured.
Figure 13-4 illustrates how the backup server feature works.
Figure 13-4 Backup Server Implementation
XYZ corporation has large sites in three cities: San Jose, California; Austin, Texas; and Boston, Massachusetts. They just opened a regional sales office in Fargo, North Dakota. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contact the corporate network, Fargo cannot place orders. However, the IPSec backup server feature lets the VPN 3002 connect to one of several other sites, in this case using Austin (2) and Boston (3) as backup servers, in that order.
The VPN 3002 in Fargo first attempts to reach San Jose. If the initial IKE packet for that connection (1) times out (8 seconds), the VPN 3002 tries to connect to Austin (2). Should this negotiation also time out, the VPN 3002 tries to connect to Boston (3). These attempts continue until the VPN 3002 has tried all servers on its backup server list, to a maximum of 10.
Be aware of the following characteristics of the backup server feature:
•A client must connect to the primary VPN Concentrator to download a backup server list configured on the primary VPN Concentrator. If that Concentrator is unavailable, and if the client has a previously configured backup server list, it can connect to the servers on that list.
•A client can download a backup server list only from the primary VPN Concentrator. It cannot download a backup server list from a backup server.
•The VPN Concentrators that you configure as backup servers do not have to be aware of each other.
•If you change the configuration of backup servers, or delete a backup server during an active session between a client and a backup server, the session continues without adopting that change. New settings take effect the next time the client connects to its primary VPN Concentrator.
•If the VPN 3002 cannot connect after trying all backup servers on the list, it does not automatically retry.
–In Network Extension mode, the VPN 3002 attempts a new connection after 4 seconds.
–In Client mode, the VPN 3002 attempts a new connection when the user presses the Connect Now button on the Monitoring | System Status screen, or when data passes from the VPN 3002 to the VPN Concentrator.
You can configure the backup server feature from the primary VPN Concentrator or the client.
Table 13-3 Where to Configure the Backup Server Feature
VPN Concentrator
|
On the User Management | Base Group | Client Config Tab or the Groups | Client Config Tab.
|
VPN 3002 Hardware Client
|
On the Tunneling and Security | IPSec screen.
Note The list you configure on the VPN 3002 applies only if the option, Use Client Configured List, is set in the IPSec Backup Servers parameter. To set this parameter, go to the User Management | Groups | Client Config Tab for the primary VPN Concentrator to which the VPN 3002 connects.
|
VPN Client
|
On the Properties > Connections tab.
|
The group name, username, and passwords that you configure for the client must be identical for the primary VPN Concentrator and all backup servers. Also, if you require interactive hardware client authentication and/or individual user authentication for the VPN 3002 on the primary VPN Concentrator, be sure to configure it on backup servers as well. See the User Management | Groups | HW Client Tab for more information.
Configuring Backup Servers from the Cisco VPN Client
To configure backup servers on the Cisco VPN Client, check the Enable backup server(s) check box on the Properties > Connections tab. Click Add, then enter the hostname or IP address of the backup server(s). Refer to the VPN Client User Guide for your platform for more information.
About Browser Proxies for Internet Explorer on Windows
The VPN Concentrator supports configuration of a Web browser proxy for Internet Explorer on Windows platforms. This feature can automatically configure the corporate network Web proxy settings for Cisco VPN Client users, thus eliminating the need for manual adjustment by end-users. These settings also revert automatically.
If your corporate network requires Web browser proxies, you can configure how Cisco VPN Clients are automatically adjusted on this screen.
About Split Tunneling Policy
Split tunneling lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form. Packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. Split tunneling thus eases the processing load, simplifies traffic management, and speeds up untunneled traffic.
Note To implement split tunneling for Microsoft XP clients, you must meet several conditions:
- Set the Split Tunneling Policy to Only tunnel networks in list.
- Configure network lists and default domain names in the Common Client Parameters section of this screen.
- Change the default setting on the client PC's Internet Protocol (TCP/IP) Properties window. The path is Control Panel > Network Connections > VPN > VPN Properties > Networking > Internet Protocol (TCP/IP) > Select Properties > Internet Protocol (TCP/IP) Properties window. Select Advanced and uncheck the box.
Note If you enable both split tunneling and individual user authentication for a VPN 3002 Hardware Client, users must authenticate only when sending traffic bound for destinations on the other side of the IPSec tunnel.
Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling. However, since only the VPN Concentrator—and not the IPSec client—can enable split tunneling, you can control implementation here and thus protect security. Split tunneling is disabled by default on both the VPN Concentrator and the client. You enable and configure the feature on the VPN Concentrator, and then the VPN Concentrator uses Mode Configuration to push it to, and enable it on, the IPSec client.
Split tunneling applies only to single-user remote-access IPSec tunnels, not to LAN-to-LAN connections.
Screen Samples
Figure 13-5 Configuration | User Management | Base Group, Client Config Tab, Cisco Client
Figure 13-6 Configuration | User Management | Base Group, Client Config Tab, Microsoft Client
Figure 13-7 Configuration | User Management | Base Group, Client Config Tab, Common Client
Screen Elements
Cisco Client Parameters
•Allow Password Storage on Client — Check this box to allow IPSec clients to store their login passwords on their local client systems. If you do not allow password storage (the default), IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage.
This parameter also applies to VPN 3002 hardware clients running Release 4.1 or higher software.
•IPSec over UDP — Check this box to allow the Cisco VPN Client (IPSec client) or VPN 3002 hardware client to connect to the VPN Concentrator via UDP through a firewall or router using NAT. The box is unchecked by default. See About IPSec over UDP above.
•IPSec over UDP Port — Enter the UDP port number to use on the VPN Concentrator if you allow IPSec through NAT. Enter a number in the range 4001 through 49151; default is 10000.
•IPSec Backup Servers — Select the appropriate backup server configuration:
–Select Use the list below to configure backup servers on the primary central-site VPN Concentrator.
Enter either the IP addresses or the hostnames of the VPN Concentrators that are to be backup servers. The IP address is the IP address of the VPN Concentrator public interface.
Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a VPN 3002 obtain DNS and WINS information from the VPN 3002 through DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. Further, if you use hostnames and the DNS server is unavailable, significant delays can occur.
You can enter up to 10 backup servers, in order of highest to lowest priority. Enter each backup server on a single line, using the Enter or Return key for each new line.
Should there be a backup server list already configured on the client, this list on the central-site VPN Concentrator replaces it, and becomes the list of backup servers on the client.
If you change the configuration of backup servers, or delete a backup server during an active session between a client and a backup server, the session continues without adopting that change. New settings take effect in the next new session.
–Select Use client configured list to configure backup servers on the VPN 3002. You then configure backup servers in the VPN 3002 Configuration | System | Tunneling Protocols | IPSec screen. Refer to the Tunneling chapter in the VPN 3002 Hardware Client User Reference for instructions.
–Select Disable and clear client configured list to disable the backup server feature. If you disable the feature from the primary VPN Concentrator, the feature is disabled and the list of backup servers configured on the client, if there is one, is cleared.
See About IPSec Backup Servers above for more information.
Microsoft Client Parameters
•Intercept DHCP Configure Message — Check this box to enable DHCP Intercept. DHCP Intercept lets Microsoft XP clients implement split-tunneling with a VPN Concentrator. The VPN Concentrator replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.
Note A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. The VPN Concentrator limits the number of routes it sends to 27-40 routes, with the number of routes dependent on the classes of the routes, to avoid this problem.
•Subnet Mask — Enter the subnet mask for clients requesting Microsoft DHCP options.
•IE Proxy Server Policy — Choose one of the available options:
–Do not modify proxy settings: Leave the HTTP proxy server setting in Internet Explorer, whether active or unconfigured, unchanged for client PCs.
–No Proxy: Disable the HTTP proxy server, if any, configured in Internet Explorer on client PCs.
–Auto Detect Proxy: Set Internet Explorer on the client PCs to use the automatic proxy detection feature.
–Use proxy server/port listed below: Set the HTTP proxy server setting in Internet Explorer on client PCs according to values you configure in the IE Proxy Server field on this configuration screen.
•IE Proxy Server — Type the proxy server name or IP address and port number for use by the Internet Explorer browser on Windows client PCs. Separate the name or IP address from the port number with a colon (:). Make sure that the Use proxy server/port listed below radio button is selected in the section above.
•IE Proxy Server Exception List — If desired, enter a list of domain names or specific addresses that should not be accessed through a proxy server. You can use wildcards. Enter each exception ona single line.
•Bypass Proxy Server for Local Addresses — Check this box to allow local requests (addresses inside the corporate network) to bypass the proxy server.
Common Client Parameters
•Banner — Enter the welcome text that this group's IPSec clients see when they log in. The maximum length is 510 characters. You can use ASCII characters, including new line (the Enter key, which counts as two characters).
You can display a banner to VPN Clients, WebVPN users, and on VPN 3002 hardware clients that are configured for individual user authentication.
•Split Tunneling Policy — Select a split tunneling policy. The default policy is Tunnel Everything. Tunnel Everything disables split tunneling. When Tunnel Everything is configured, all traffic from remote clients in this group travels over the secure IPSec tunnel in encrypted form. No traffic goes in the clear or to any other destination than the VPN Concentrator. Remote users in this group reach internet networks through the corporate network and do not have access to local networks.
If users in this group need access to local networks, choose Allow Networks in List to Bypass Tunnel. This option allows you to define a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel.
To configure the Allow Networks in List to Bypass Tunnel option, choose VPN Client Local LAN from the Split Tunnel Network List menu. The VPN Client Local LAN option allows all users in the group to access all devices on their local networks. If you want to restrict users' access to particular devices on their local network, you need to know the addresses of the local devices the remote users in this group want to access. Create a network list of these addresses, then choose that network list from the Split Tunneling Network List menu. You can apply only one network list to a group, but one network list can contain up to 10 network entries. (See the Policy Management | Traffic Management | Network Lists screens for more information on creating network lists.) You also must enable Local LAN Access on the VPN Client. See the VPN Client Administrator Guide for more details.
Note The Allow Networks in List to Bypass Tunnel option allows remote users to access only devices that are located on the same network interface as the tunnel. If a remote user's local LAN is located on a different network interface than the tunnel, the user cannot access it.
To allow remote users to access internet networks without tunneling through the corporate network, enable split tunneling. To enable split tunneling, choose Only Tunnel Networks in List. To configure this option, create a network list of addresses to tunnel. Then select this network list from the Split Tunneling Network List menu. Data to all other addresses is sent in the clear and routed by the remote user's internet service provider.
We recommend that you keep the base-group default, and that you enable and configure the split tunneling policy selectively for each group.
–Tunnel everything = Send all data via the secure IPSec tunnel.
–Allow networks in list to bypass the tunnel = Send all data via the secure IPSec tunnel except for data to addresses on the network list. The purpose of this option is to allow users who are tunneling all traffic to access devices such as printers on their local networks. This setting applies only to the Cisco VPN Client.
–Only tunnel networks in list = Send data to addresses on the network list via secure IPSec tunnel. Data bound for any other address goes in the clear. The purpose of this option is to allow remote users to access internet networks without requiring them to be tunneled through the corporate network.
•Split Tunneling Network List — Click the drop-down menu button and select the split tunneling address list to use with this group's remote-access IPSec clients.
Both the Allow Networks in List to Bypass Tunnel option and the Only Tunnel Networks in List option make split tunneling decisions on the basis of a network list, which is a list of addresses on the private network. But the network list functions differently in each configuration.
In an Allow Networks in List to Bypass Tunnel configuration, The IPSec client uses the network list as an exclusion list: a list of addresses to which traffic should be sent in the clear. All other traffic is routed over the IPSec tunnel.
In an Only Tunnel Networks in List configuration, the IPSec client uses the network list as an inclusion list: a list of networks for which traffic should be sent over the IPSec tunnel. The IPSec client establishes an IPSec Security Association (SA) for each network specified in the list. Outbound packets with destination addresses that match one of the SAs are sent over the tunnel; everything else is sent as clear text to the locally connected network.
–None = No network address lists are configured.
–VPN Client Local LAN (default) = All addresses on the client's local network. The VPN Client Local LAN network list is a wildcard value that represents the client's local network. It corresponds to the address 0.0.0.0/0.0.0.0, which represents the IP address of the client's network card on which the tunnel is established. This option is the default associated with Allow Networks in List to Bypass Tunnel. It does not apply to the Only Tunnel Networks in List option.
•Default Domain Name — Enter the default domain name that the VPN Concentrator passes to the IPSec client, for the client's TCP/IP stack to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. For example, if this entry is xyzcorp.com, a DNS query for mail becomes mail.xyzcorp.com. The maximum name length is 255 characters. The Manager checks the domain name for valid syntax.
•Split DNS Names — Enter each domain name to be resolved by the internal server. Use commas but no spaces to separate the names.
Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names, while ISP-assigned DNS servers resolve all other DNS requests. It is used in split-tunneling connections; the internal DNS server resolves the domain names for traffic through the tunnel, and the ISP-assigned DNS servers resolve DNS requests that travel in the clear to the Internet.
The VPN Concentrator does not support split-DNS for Microsoft VPN Clients; however, it does support split DNS for the Cisco VPN Client operating on Microsoft Windows operating systems.
Base Group | Client FW Tab
This tab lets you configure firewall parameters for VPN Clients.
Note Only VPN Clients running Microsoft Windows can use these firewall features. They are presently not available to hardware clients or other (non-Windows) software clients.
A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN.
Remote users connecting to the VPN Concentrator with the VPN Client can choose from three possible firewall options.
In the first scenario, a remote user has a personal firewall installed on the PC. The VPN Client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN Client drops the connection to the VPN Concentrator. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN Client monitors the firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN Client knows the firewall is down and terminates its connection to the VPN Concentrator.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.
In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN Client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the VPN Concentrator, you create a set of traffic management rules to enforce on the VPN Client, associate those rules with a filter, and designate that filter as the firewall policy. The VPN Concentrator pushes this policy down to the VPN Client. The VPN Client then in turn passes the policy to the local firewall, which enforces it.
A third scenario is to use a separate firewall server—the Zone Labs Integrity Server (IS)—to secure remote PCs on Windows platforms. The IS maintains policies for remote VPN Client PCs and monitors the PCs to ensure policy enforcement. The IS also communicates with the VPN Concentrator to allow and terminate connections, exchange session and user information, and report status information. For more details on how the VPN Concentrator interacts with the VPN Client, personal firewalls, and the Zone Labs Integrity Server, see the VPN Client Administrator Guide. For information on configuring the Zone Labs Integrity Server, refer to Zone Labs' documentation.
Figure 13-8 Configuration | User Management | Base Group | Client FW Parameters Tab
Screen Elements
•Firewall Setting — Click the radio button to select a firewall setting:
–No Firewall = No firewall is required for remote users in this group.
–Firewall Required = All remote users in this group must use a specific firewall. Only those users with the designated firewall can connect.
Note If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN Clients. Any other clients in the group (including VPN 3002 Hardware Clients) are unable to connect.
–Firewall Optional = All remote users in this group can connect. Those that have the designated firewall can use it. Those who do not have a firewall receive a warning message.
By default, no firewall is required for remote users in this group. If you want users in this group to be firewall-protected, choose either the Firewall Required or Firewall Optional setting.
If you choose Firewall Required, all users in this group must use the designated firewall. The VPN Concentrator drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the VPN Concentrator notifies the VPN Client that its firewall configuration does not match.
If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.
•Firewall — Choose a firewall for the users in this group. Keep in mind when choosing that the firewall you designate correlates with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported. (See Table 13-5 for details.)
Click the drop-down menu button, and select the type of firewall required for users in this group.
–Cisco Integrated Client Firewall refers to the stateful firewall built into the VPN Client.
–Cisco Intrusion Prevention Security Agent refers to the Cisco Systems security agent.
–Custom Firewall refers to acombination of the listed firewalls, or other firewalls not listed. If you choose this option, you must create your own list of firewalls in the Custom Firewall field.
Note You do not need to use the Custom option for Release 4.0. Currently, all supported firewalls are covered by the other Firewall menu options.
•Custom Firewall — Enter a single vendor code and one or more product codes. Currently there are no supported firewall configurations that you can not choose from the menu on the VPN Concentrator; this feature is mainly for future use. Nevertheless, the following table lists the vendor codes and products that are currently supported.
Table 13-4 Custom Vendor and Product codes
Vendor
|
Vendor Code
|
Products
|
Product Code
|
Cisco Systems
|
1
|
Cisco Integrated Client (CIC)
|
1
|
5
|
Cisco Intrusion Prevention Security Agent
|
1
|
Zone Labs
|
2
|
Zone Alarm
|
1
|
Zone AlarmPro
|
2
|
Zone Labs Integrity
|
3
|
NetworkICE
|
3
|
BlackIce Defender/Agent
|
1
|
Sygate
|
4
|
Personal Firewall
|
1
|
Personal Firewall Pro
|
2
|
Security Agent
|
3
|
The VPN Concentrator can support any firewall that the VPN Client supports. Refer to the VPN Client Administrator Guide for the latest list of supported clients.
–Vendor ID — Enter the vendor code for the firewall(s) that remote users in this group are using. Enter only one vendor.
–Product ID — Enter the product code or codes for the firewall(s) that remote users in this group are using. To indicate any supported product, enter 255. Separate multiple codes with commas. Indicate code ranges with hyphens, for example: 4-20.
–Description — Enter a description (optional) for the custom firewall.
•Firewall Policy — Choose the source for the VPN Client firewall policy.
–Policy defined by remote firewall (AYT) = Remote users in this group have firewalls located on their PCs. The local firewall enforces the firewall policy on the VPN Client. The VPN Concentrator allows VPN Clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. Once the connection is established, the VPN Client polls the firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the VPN Client ends the session.
–Policy Pushed (CPP) = The VPN Concentrator enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this VPN Concentrator, including the default filters. Keep in mind that the VPN Concentrator pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the VPN Concentrator. For example, "in" and "out" refer to traffic coming into the VPN Client or going outbound from the VPN Client.
If the VPN Client also has a local firewall, the policy pushed from the VPN Concentrator works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.
–Policy from Server = Users in this group use a Zone Labs Integrity Server to configure and manage firewall security on their remote PCs. If you choose this option, you must also configure the server address on the System | Servers | Firewall screen.
Depending on which firewall you configured, certain Firewall Policy options are available. (See Table 13-5.)
Table 13-5 Firewall Policy Options Available for Each Firewall
Firewall
|
Policy Defined by
Remote Firewall (AYT)
|
Policy Pushed (CPP)
|
Policy from Server
|
Cisco Integrated Client Firewall
|
No
|
Yes
|
No
|
Network ICE BlackICE Defender
|
Yes
|
No
|
No
|
Zone Labs ZoneAlarm
|
Yes
|
Yes
|
No
|
Zone Labs ZoneAlarm Pro
|
Yes
|
Yes
|
No
|
Zone Labs ZoneAlarm or
Zone Labs ZoneAlarm Pro
|
Yes
|
Yes
|
No
|
Zone Labs Integrity
|
No
|
No
|
Yes
|
Sygate Personal Firewall
|
Yes
|
No
|
No
|
Sygate Personal Firewall Pro
|
Yes
|
No
|
No
|
Sygate Security Agent
|
Yes
|
No
|
No
|
Cisco Intrusion Prevention Security Agent
|
Yes
|
No
|
No
|
Custom Firewall
|
N/A (This field is for future use.)
|
Base Group | HW Client Tab
The Hardware Client parameters tab lets you configure several features for the VPN 3002 and its users in the base group.
Figure 13-9 Configuration | User Management | Base Group, HW Client Parameters Tab
Screen Elements
•Require Interactive Hardware Client Authentication — Check this box to enable interactive authentication for VPN 3002s in the base group. For more information, see the section, "About Interactive Hardware Client Authentication," below.
•Require Individual User Authentication — Check this box to enable individual user authentication for users behind VPN 3002s in the base group. To display a banner to VPN 3002s in a group, individual user authentication must be enabled. For more information, see the section, "About Individual User Authentication," below.
•User Idle Timeout — Enter the idle timeout period in minutes. If there is no communication activity on a user connection in this period, the system terminates the connection. The minimum is 1 minute, the default is 30 minutes, and the maximum is 10080 minutes. To disable timeout and allow an unlimited idle period, enter 0.
Note This value applies to WebVPN users unless you set it to 0 (zero). In that case, the WebVPN Default Idle Timeout set in Tunneling and Security | WebVPN | HTTP/HTTPS Proxy applies.
We recommend that you set a short idle-timeout value for WebVPN users. When a browser is set to disable cookies, or prompts for cookies but denies them, users do not connect, but they still appear in the Administration | Administer Sessions | RAS database. If Simultaneous Logins (User Management | Base Group | General Tab or Groups | General Tab) is set to one, the user cannot log in again because the maximum number of connections already exists. If you set a low idle timeout for WebVPN users, these cookies are deleted quickly, letting a user reconnect.
•Cisco IP Phone Bypass — Check this box to let IP phones bypass the interactive individual user authentication processes. If enabled, interactive hardware client authentication remains in effect.
Note You must configure the VPN 3002 to use network extension mode for IP phone connections.
•LEAP Bypass — Check this box to let LEAP packets from Cisco wireless devices bypass the individual user authentication processes (if enabled).
LEAP (Lightweight Extensible Authentication Protocol) Bypass lets LEAP packets from devices behind a VPN 3002 travel across a VPN tunnel prior to individual user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication (if enabled). For more information about LEAP Bypass, see the section, "About LEAP Bypass," below.
Note This feature does not work as intended if you enable interactive hardware client authentication.
•Allow Network Extension Mode — This feature lets you restrict the use of network extension mode on the VPN 3002. Check the box to let VPN 3002s use network extension mode.
Network extension mode is required for the VPN 3002 to support IP phone connections. This is because the Call Manager can communicate only with actual IP addresses.
Note If you disallow network extension mode, the default setting, the VPN 3002 can connect to this VPN Concentrator in PAT mode only. If you disallow network extension mode here, be careful to configure all VPN 3002s in a group for PAT mode. If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the VPN 3002 puts an unnecessary processing load on the VPN Concentrator to which it connects; if large numbers of VPN 3002s are misconfigured in this way, the VPN Concentrator has a reduced ability to provide service.
About Interactive Hardware Client Authentication
Interactive hardware client authentication provides the central site with additional security by requiring the VPN 3002 to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the VPN Concentrator to which it connects. The VPN Concentrator facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established.
You configure interactive hardware client authentication in Hardware Client tab of the User Management | Groups screen on the VPN Concentrator at the central site, which then pushes the policy to the VPN 3002.
You specify the type of authentication server in the IPSec tab of the User Management | Groups screen on the VPN Concentrator. The VPN 3002 authenticates on the first server of that type that you configure in the System | Servers | Authentication screen or User Management | Groups | Authentication Servers screen. If the VPN 3002 cannot reach that server, it authenticates on the next server of that type in the list of authentication servers.
Enabling and Later Disabling Interactive Hardware Client Authentication
When you enable interactive hardware client authentication for a group, the VPN Concentrator pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.
If, on the VPN Concentrator, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the VPN Concentrator has disabled interactive hardware client authentication.
If you subsequently configure a username and password (in the VPN 3002 Tunneling and Security | IPSec screen), the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the VPN Concentrator using the saved username and password.
About Individual User Authentication
Individual user authentication protects the central site from access by unauthorized persons on the private network of the VPN 3002.
When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator, even though the tunnel already exists.
To display a banner to VPN 3002s in a group, individual user authentication must be enabled.
Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser.
•If you have a default home page on the remote network behind the VPN Concentrator, or direct the browser to a website on the remote network behind the VPN Concentrator, the VPN 3002 directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.
•If you try to access resources on the network behind the VPN Concentrator that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser.
•To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the browser Location or Address field. The browser then displays the login screen for the VPN 3002. To authenticate, click the Connect/Login Status button.
•One user can log in for a maximum of four sessions simultaneously.
Individual users authenticate according to the order of authentication servers that you configure for a group. To configure authentication servers for individual user authentication, see the sections, Configuration | User Management | Base Group/Groups | Authentication Servers | Add/Modify.
Backup Servers with Interactive Hardware Client and Individual User Authentication
Be sure to configure any backup servers for the VPN 3002 with the same values as the primary VPN Concentrator for interactive hardware client authentication and individual user authentication. For information about configuring backup servers, see User Management | Base Group | Client Config Tab.
Accounting with Interactive Hardware Client and Individual User Authentication
If a VPN 3002 authenticates to a VPN Concentrator, and you have enabled accounting, the VPN Concentrator notifies the RADIUS accounting server when the VPN 3002 logs on and off. It also keeps track of individual users. See System | Servers | Accounting.
About LEAP Bypass
IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.
Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.
Note Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.
LEAP Bypass for the VPN 3002
LEAP users behind a VPN 3002 have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.
LEAP Bypass works as intended under the following conditions:
•The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the VPN 3002 before LEAP devices can connect using that tunnel.
•Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).
•Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands.
•The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).
•The VPN 3002 can operate in either client mode or network extension mode.
•LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.
Note There may be security risks in allowing any unauthenticated traffic to traverse the tunnel.
Summary of VPN 3002 Authentication Features
Table 13-6 summarizes how authentication of the VPN 3002 works by default, and how it works with interactive hardware client authentication and individual user authentication enabled. Be aware that you can use both interactive hardware client authentication or individual user authentication simultaneously, or either one and not the other.
Table 13-6 Authenticating the VPN 3002 Hardware Client and Users
Authentication with Saved Username and Password
|
Interactive Hardware Client Authentication
|
Individual User Authentication
|
LEAP Bypass
|
Authenticates the VPN 3002.
|
Authenticates the VPN 3002.
|
Authenticates a user or device on the private LAN behind the VPN 3002.
|
Authenticates a wireless user or device on the private LAN behind the VPN 3002.
|
On the VPN 3002, you configure the username and password in either of these screens:
•Configuration | Quick | IPSec
•Tunneling and Security | IPSec
|
You do not configure the username and password on the VPN 3002.
|
You do not configure the username and password on the VPN 3002.
|
You configure the Aironet Client Utility to use a saved username and password, or to prompt for a username and password each time a client connects. For more information, refer to the Cisco Aironet Wireless LAN Adapters Installation and Configuration Guide.
|
The VPN 3002 saves the username and password.
|
The VPN 3002 does not save the username and password.
|
The VPN 3002 does not save the username and password.
|
Requires no user interaction subsequent to initial configuration.
|
You are prompted to enter a username and password each time the VPN 3002 initiates the tunnel.
|
You open a web browser and enter a username and password when prompted, even though the tunnel already exists.
You cannot use the command-line interface.
|
If you use a saved username and password, LEAP requires no user interaction subsequent to initial configuration. Otherwise the Aironet Client Utility prompts you to enter a username and password.
|
The default option.
|
You enable on the VPN Concentrator. The VPN Concentrator pushes the policy to the VPN 3002.
|
You enable on the VPN Concentrator. The VPN Concentrator pushes the policy to the VPN 3002.
|
You enable on the VPN Concentrator. The VPN Concentrator pushes the policy to the VPN 3002.
|
The VPN 3002 authenticates on the first server of the type that you configure. If the VPN 3002 cannot reach that server, it authenticates on the next server of that type in the list of authentication servers.
|
Individual users authenticate according to the order of authentication servers configured, regardless of type.
|
Individual users authenticate to RADIUS servers according to how the authentication servers are configured on the Aironet Access Point.
|
| |
|
Individual users can authenticate according to the values of an embedded group rather than the tunnel group. See the section, System | General | Global Authentication Parameters of this guide .
|
|
Base Group | PPTP/L2TP Tab
This tab lets you configure PPTP and L2TP parameters that apply to the base group. During tunnel establishment, the client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access. If you checked PPTP, L2TP, or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure these parameters.
Figure 13-10 Configuration | User Management | Base Group Screen, PPTP/L2TP Tab
Screen Elements
•Use Client Address — Check this box to accept and use an IP address that the client supplies. A client must have an IP address to function as a tunnel endpoint; but for maximum security, we recommend that you control IP address assignment and that you do not allow client-supplied IP addresses (the default).
Make sure the setting here is consistent with the setting for Use Client Address on the System | Address Management | Assignment screen.
•PPTP Authentication Protocols — Check the boxes for the authentication protocols that PPTP clients can use. To establish and use a VPN tunnel, users should be authenticated in accordance with a protocol.
Caution Unchecking
all authentication options means that
no authentication is required. That is, PPTP users can connect with
no authentication. This configuration is allowed so you can test connections, but it is not secure.
These choices specify the allowable authentication protocols in order from least secure to most secure.
–PAP = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We strongly recommend that you not allow this protocol. It is not allowed by default.
–CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP, but it does not encrypt data. It is allowed by default.
–MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores, and compares, only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption). This protocol is allowed by default. If you check Required under PPTP Encryption, you must allow one or both MSCHAP protocols and no other.
–MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths. This protocol is not allowed by default. The VPN Concentrator internal user authentication server supports this protocol, but external authentication servers do not. If you check Required under PPTP Encryption, you must allow one or both MSCHAP protocols and no other.
–EAP Proxy = Extensible Authentication Protocol, defined in RFC 2284. EAP enables the VPN Concentrator to proxy the entire PPTP/L2TP authentication process to an external RADIUS authentication server. It provides additional authentication options for the Microsoft VPN Client (L2TP/IPSec), including EAP/MD5, Smartcards and certificates (EAP/TLS), and RSA SecurID (EAP/SDI). It requires that you configure an EAP enabled RADIUS server. You cannot configure EAP if you are using encryption. It is configurable at the base group or group levels.
•PPTP Encryption — Check the boxes for the data encryption options that apply to PPTP clients.
–Required = During connection setup, PPTP clients must agree to use Microsoft encryption (MPPE) to encrypt data or they will not be connected. This option is unchecked by default. If you check this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under PPTP Authentication Protocols, and you must also check 40-bit and/or 128-bit here. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.
–Require Stateless = During connection setup, PPTP clients must agree to use stateless encryption to encrypt data or they will not be connected. With stateless encryption, the encryption keys are changed on every packet; otherwise, the keys are changed after some number of packets or whenever a packet is lost. Stateless encryption is more secure, but it requires more processing. However, it might perform better in a lossy environment (where packets are lost), such as the Internet. This option is not checked by default. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.
–40-bit = PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm. This option is checked by default. If you check Required, you must check this option and/or the 128-bit option.
–128-bit = PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 128-bit key. Microsoft encryption (MPPE) uses this algorithm. This option is checked by default. If you check Required, you must check this option and/or the 40-bit option. The U.S. government restricts the distribution of 128-bit encryption software.
•PPTP Compression — If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Check the box to enable data compression for PPTP. PPTP data compression uses the Microsoft Point to Point Compression (MPPC) protocol.
Note MPPC data compression increases the memory requirement and CPU utilization for each user session. Consequently, using data compression reduces the overall throughput of the VPN Concentrator and lowers the maximum number of sessions your VPN Concentrator can support. We recommend you enable data compression only if every member of the group is a remote user connecting with a modem. If any members of the group connect via broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.
Note PPTP data compression is only supported for clients that use stateless encryption.
•L2TP Authentication Protocols — Check the boxes for the authentication protocols that L2TP clients can use. They are described under PPTP Authentication Protocols, above. To establish and use a VPN tunnel, users should be authenticated in accordance with a protocol. Again, we strongly recommend that you not allow the PAP protocol.
Caution Unchecking
all authentication options means that
no authentication is required. That is, L2TP users can connect with
no authentication. This configuration is allowed so you can test connections, but it is not secure.
•L2TP Encryption — Check the boxes for the data encryption options that apply to L2TP clients.
–Required = During connection setup, L2TP clients must agree to use Microsoft encryption (MPPE) to encrypt data or they will not be connected. This option is unchecked by default. If you check this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under L2TP Authentication Protocols, and you must also check 40-bit and/or 128-bit here. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.
–Require Stateless = During connection setup, L2TP clients must agree to use stateless encryption to encrypt data or they will not be connected. With stateless encryption, the encryption keys are changed on every packet; otherwise, the keys are changed after some number of packets or whenever a packet is lost. Stateless encryption is more secure, but it requires more processing. However, it might perform better in a lossy environment (where packets are lost), such as the Internet. This option is unchecked by default. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.
–40-bit = L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm. This option is unchecked by default. If you check Required, you must check this option and/or the 128-bit option.
–128-bit = L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 128-bit key. Microsoft encryption (MPPE) uses this algorithm. This option is unchecked by default. If you check Required, you must check this option and/or the 40-bit option.
•L2TP Compression — If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Check the L2TP Compression check box to enable data compression for L2TP. L2TP data compression uses the Microsoft Point to Point Compression (MPPC) protocol.
Note MPPC data compression increases the memory requirement and CPU utilization for each user session. Consequently, using data compression reduces the overall throughput of the VPN Concentrator and lowers the maximum number of sessions your VPN Concentrator can support. We recommend you enable data compression only if every member of the group is a remote user connecting with a modem. If any members of the group connect via broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.
Note L2TP data compression is only supported for clients that use stateless encryption.
Base Group | WebVPN Tab
This screen lets you configure access to network resources for WebVPN users in the base group. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.
Note To enable WebVPN, you must also check the WebVPN checkbox in the Tunneling Protocols field on the User Management | Base Group | General Tab.
End users need Sun Microsystems Java™ Runtime Environment (version 1.4 or later) installed for the file access function to work properly.
Figure 13-11 Configuration | User Management | Base Group | WebVPN Tab
WebVPN Parameters
These parameters let WebVPN users access network resources.
Screen Elements
•Enable URL Entry — Check this box to place the URL entry box on the home page. If enabled, users can enter web addresses in the URL entry box, and use WebVPN to access those websites.
Be advised that using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user's PC or workstation and the VPN Concentrator on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate VPN Concentrator to the destination web server is not secured.
In a WebVPN connection, the VPN Concentrator acts as a proxy between the end user's web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the VPN Concentrator establishes a secure connection and validates the server's SSL certificate. The end user's browser never receives the presented certificate, so therefore cannot examine and validate the certificate.
The current implementation of WebVPN on the VPN Concentrator does not permit communication with sites that present expired certificates. Neither does the VPN Concentrator perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.
You may want to limit Internet access for WebVPN users. One way to do this is to uncheck the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.
•Enable File Access — Check to enable Windows file access (SMB/CIFS files only) through HTTPS. When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Tunneling and Security | WebVPN | Servers and URLs | Add or Modify pages. To let users access servers directly or to browse servers on the network, see the Enable File Server Entry and Enable File Server Browsing parameters.
Users can download, edit, delete, rename, and move files. They can also add files and folders.
Remember that shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing files, according to network requirements.
File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the VPN Concentrator, or reachable from that network. The WINS server or master browser provides the VPN Concentrator with an list of the resources on the network. You cannot use a DNS server instead. Configure WINS servers in the System | Servers | NBNS screen.
Note File access is not supported in an Active Native Directory environment when used with Dynamic DNS. It is supported if used with a WINS server.
•Enable File Server Entry — Check to place the file server entry box on the portal page. File Access (above) must be enabled.
With this box checked, users can enter path names to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders.
Again, shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing files, according to network requirements.
•Enable File Server Browsing — Check to let users browse the Windows network for domains/workgroups, servers and shares. File Access (above) must be enabled.
With this box checked, users can select domains and workgroups, and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.
•Enable Port Forwarding — WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application.
Cisco has tested the following applications:
–Windows Terminal Services
–Telnet
–Secure FTP (FTP over SSH)
–Perforce
–Outlook Express
–Lotus Notes
Other TCP-based applications may also work, but Cisco has not tested them.
Note Port Forwarding does not work with some SSL/TLS versions. See Tunneling and Security | SSL | Protocols SSL Version field for more information.
With this box checked users can access client/server applications by mapping TCP ports on the local and remote systems. Configure the TCP ports in the Tunneling and Security | WebVPN | Port Forwarding screen.
You configure specific TCP ports for application access for the base group in the Tunneling and Security | WebVPN | Port Forwarding screen.
Note When users authenticate using digital certificates, the TCP Port Forwarding Java applet does not work. Java cannot access the web browser's keystore; therefore Java cannot use the certificates that the browser uses for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.
•Enable Outlook/Exchange Proxy — Check to enable the Outlook/Exchange mail forwarding (MAPI) proxy. See the About Outlook/Exchange Proxy Support (MAPI) section that follows.
End users get information about the Outlook/Exchange mail proxy you configure in a java applet. Users launch this java applet by clicking the Application Access section of their WebVPN home page.
•Apply ACL — Check to apply the WebVPN Access Control List defined for the users of this group.
•Enable Auto Applet Download — Check to automatically start the port forwarding or Outlook/Exchange Proxy Java applet when users log in via WebVPN, if port forwarding or Outlook/Exchange Proxy is enabled for the group. Clear this checkbox if neither of those features is enabled.
•Enable Citrix MetaFrame — Check to enable support for Citrix MetaFrame services through WebVPN. Configure your Citrix Web Interface software in "Normal Address" mode; the VPN Concentrator functions as the secure gateway. You must install an SSL certificate on the VPN Concentrator public interface using a fully-qualified domain name (FQDN); this function does not work if you specify an IP address as the common name (CN) for the SSL certificate. (See the VPN Concentrator Administration | Certificate Management screen.)
•Enable Cisco SSL VPN Client — Check to enable the Cisco SSL VPN Client (SVC). SVC supports a large number of complex software services not supported over a standard WebVPN connection. SVC works with Windows 2000 and Windows XP clients only. This is disabled by default.
Note SVC does not use WebVPN ACLs configured on this page. IP filters are required for SVC sessions. See Configuration | Policy Management | Traffic Management | Rules and Configuration | Policy Management | Traffic Management | Filters.
•Require Cisco SSL VPN Client — Check to require the SSL VPN Client for members of this group. When this is set, standard WebVPN connections are not permitted, thus reducing processing on the VPN Concentrator. This setting does not apply if the Enable Cisco SSL VPN Client box is unchecked. This is disabled by default.
Note Do not require SVC for groups that include clients other than Windows 2000 and Windows XP.
•Keep Cisco SSL VPN Client — Check to allow clients to keep the SVC software installed ontheir PCs, speeding access for subsequent connections. This is disabled by default. When disabled, the PC uninstalls the SVC image after the connection is brought down.
Note Even if this option is selected, the SVC software checks for an upgraded image on the VPN Concentrator before loading.
•Port Forwarding Name — This is a name for you to identify port forwarding to end users. The name you configure displays in the end user interface as a hotlink. When users click this link, Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users.
•Homepage — Enter a default web page to display to members of the base group (or a particular group) when they first connect. WebVPN displays this page instead of the default WebVPN page to the group. You must use complete syntax (including "http://").
About Outlook/Exchange Proxy Support (MAPI)
This release supports the Outlook/Exchange (MAPI) Proxy for Microsoft Exchange e-mail, with specific versions of Outlook and Exchange. The following are supported:
•Exchange 2000
•Exchange 2003
•Outlook 2000
•Outlook XP
The following are not supported:
•Outlook 2003 is not supported with any version of Exchange Server
•Exchange 5.5 is not supported
The following requirements apply to using Outlook/Exchange Proxy:
•Users must have administrative rights on their client PCs.
•Java Runtime Environment (JRE) must be installed on users' client PCs.
•Each client must connect to the Exchange server's domain (without Outlook/Exchange Proxy) and configure their Microsoft Outlook client for LAN access to the mail server using remote procedure call (RPC).
•Web publishing services must be disabled on the client PC.
•Clients should login to the Exchange server's domain using cached credentials.
•The VPN Concentrator should have the DNS server for the private network configured in the list on the Configuration | System | Servers | DNS screen, and the Exchange server should be reachable from the VPN Concentrator using its Fully Qualified Domain Name.
Windows XP Requirements
The following requirements apply to using Outlook/Exchange proxy on Microsoft Windows XP:
•Windows XP Professional with Service Pack 2 requires a Microsoft patch. The patch is Windows XP KB 884020-x86-enu.exe.
•The built-in pop-up blocker must be turned off.
To enable Outlook/Exchange Proxy, check the box marked Enable Outlook/Exchange Proxy.
Content Filter Parameters
These parameters let you block or remove the parts of websites that use Java or ActiveX, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs.
Screen Elements
•Filter Java/Active X — Check to remove <applet>, <embed> and <object> tags from HTML.
•Filter Scripts — Check to remove <script> tags from HTML.
•Filter Images — Check to remove <img> tags from HTML. Removing images speeds the delivery of web pages dramatically.
•Filter Cookies from Images — Check to remove cookies that are delivered with images. This may preserve user privacy, because advertisers use cookies to track visitors.
WebVPN ACLs
You can configure WebVPN ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.
•If you do not define any filters, all connections are permitted.
•If you configure a permit filter, the default action is to deny connections other than what the filter defines.
•Cisco SSL VPN Client sessions do not use the WebVPN ACLs defined here.
Tip After you construct WebVPN ACLs, be sure to check the Apply ACL box further up on the screen.
ACL Syntax
An ACL can have up to 255 characters. The broad syntax for ACLs is <action> <protocol> <keyword> <source> <destination>. Specific syntax for protocol filters and for URL filters are described on the screen. Descriptions of each field are in the table below.
Some images, advertisements, and so on may fail to load with "permit URL"-type ACLs for sites that use separate servers for these files. In these cases it may be necessary to use a wildcard in the URL syntax; for example, *.boston.com.
Note ACLs with syntax errors result in no filtering because the Manager cannot recognize them as ACLs.
Field
|
Description
|
Action
|
Action to perform if a rule matches: deny, permit.
|
Protocol
|
WebVPN protocols, including IP, SMTP, POP3, and IMAP4, HTTP, HTTPS, and CIFS.
|
Required Keywords
|
For Protocol ACLs: host - only when using IP address alone (without wildcard mask) for a destination ID.
For URL ACLs: url.
|
Source
|
Network or host from which the packet is sent, specified as an IP address and wildcard mask, or the hostname, or any. The most common source is any, which means, literally, that the source can be any host.
|
Destination
|
Network or host to which the packet is sent, specified as one of the following:
•hostname
•IP address and wildcard mask, for example, 10.86.9.0 0.0.0.255
•host and IP address, for example, host 10.86.9.22
|
URL Definition
|
The complete address of the http or https web server or the CIFS, IMAP4S, POP3S or SMTPS server.
|
•Add or Apply / Cancel — To add this specific group to the list of configured groups, click Add. Or to apply your changes to this specific group, click Apply. Both actions include your entry in the active configuration. The Manager returns to the User Management | Base Group screen. Any new groups appear in alphabetical order in the Current Groups list. To discard your entries, click Cancel.
Reminder:
After you apply changes, the Manager returns to the User Management | Base Group screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Base Group | NAC Tab
This section of the Manager lets you configure network admission control (NAC) for the Base Group. For background information on NAC and global NAC parameters, see Configuration | Policy Management | Network Admission Control (NAC).
Figure 13-12 Configuration | User Management | Base Group | NAC Tab
Screen Elements
•Enable NAC — Check this box to enable posture validation for all peers that do not appear on the NAC Exception List.
•Status Query Timer — Choose an interval for periodic checks of posture changes for peers in this group. Enter a value between 30 and 1800 seconds (30 minutes). Default 300 (5 minutes).
•Revalidation Timer — Choose an interval for periodic complete posture revalidation. Enter a value between 300 and 86400 seconds (5 to 1440 minutes or 24 hours). Default 36000 (10 hours).
•Default ACL (filter) — Choose a filter to be in force before NAC posture validation (PV) is complete. Configure filters on the Configuration | Policy Managment | Traffic Management | Filters screen. The filter you select for the Default ACL should allow EAPoUDP communication between the VPN Concentrator and the client, in order for PV to proceed unhindered. A sample set of rules to facilitate this follows:
| |
Rule for Incoming Traffic
|
Rule for Outgoing Traffic
|
Rule Name
|
EAPoUDP In
|
EAPoUDP Out
|
Direction
|
Inbound
|
Outbound
|
Action
|
Forward
|
Forward
|
Protocol
|
UDP
|
UDP
|
TCP/IP Connection
|
Don't Care
|
Don't Care
|
Source Address
|
0.0.0.0/255.255.255.255
|
PRIVATE 1
|
Destination Address
|
PRIVATE 1
|
0.0.0.0/255.255.255.255
|
TCP/UDP Source Port
|
21862 2
|
All
|
TCP/UDP Destination Port
|
All
|
21862 2
|
Groups
This section of the Manager lets you configure access and usage parameters for specific groups. A group is a collection of users treated as a single entity. Groups inherit parameters from the base group.
For information on groups and users, see Users, Groups, and Base Groups.
Configuring internal groups in this section means configuring them on the VPN Concentrator internal authentication server. The system automatically configures the internal server when you add the first internal group.
Configuring external groups means configuring them on an external authentication server such as RADIUS.
Note If a RADIUS server is configured to return the Class attribute (#25), the VPN Concentrator uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the VPN Concentrator. For example:
OU=Finance;
Note If you are using an external authentication server, keep in mind that usernames and group names must be unique. When naming a group, do not pick a name that matches the name of any external user; and conversely, when assigning a name to an external user, do not choose the name of any existing group.
Figure 13-13 Configuration | User Management | Groups Screen
Screen Elements
•Add Group —Click to configure and add a new group. The Manager opens the User Management | Groups | Add or Modify (Internal) screen.
•Modify Group — To modify parameters for a group that has been configured, select the group from the Current Groups list and click Modify Group. The Manager opens the appropriate internal or external User Management | Groups | Add or Modify (Internal) screen.
•Delete Group — To remove a group that has been configured, select the group from the Current Groups list and click Delete Group.
Note There is no confirmation or undo. However, deleting a group that has certificate group matching rules defined for it also deletes these rules. In this case, the VPN Concentrator displays a warning message asking you to confirm that you really want to delete the group.
The Manager refreshes the screen and shows the remaining groups in the list. When you delete a group, all its members revert to the base group. Deleting a group, however, does not delete the user profiles of the members.
You cannot delete a group that is configured as part of a LAN-to-LAN connection. See the Tunneling and Security | IPSec | LAN-to-LAN screen.
•Current Groups — This list shows configured groups in alphabetical order, and if they are internal or external. If no groups have been configured, the list shows --Empty--.
•Authentication Servers — To modify authentication server parameters, select the group from the list and click Authentication Servers. The Manager opens the User Management | Groups | Authentication Servers screen.
•Authorization Servers — To modify authorization server parameters, select the group from the list and click Authorization Servers. The Manager opens the User Management | Groups | Authorization Servers screen.
•Accounting Servers — To modify accounting server parameters, select the group from the list and click Accounting Servers. The Manager opens the User Management | Groups | Accounting Servers screen.
•Address Pools — To modify address pools, select the group from the list and click Address Pools. The Manager opens the User Management | Groups | Address Pools screen.
•Client Update — To modify client update entries, select the group from the list and click Client Update. The Manager opens the User Management | Groups | Client Update screen.
•Bandwidth Assignment — To assign a bandwidth management policy, select the group from the list and click Bandwidth Assignment. The Manager opens the User Management | Groups | Bandwidth Policy screen.
•WebVPN Servers and URLs — To configure access to specific servers and URLs, select the group from the list and click WebVPN Servers and URLs. The Manager opens the User Management | Groups | WebVPN Servers and URLs screen.
•WebVPN Port Forwarding — To configure access to applications, select the group from the list and click WebVPN Port Forwarding. The Manager opens the User Management | Groups | WebVPN Port Forwarding screen.
Groups | Add or Modify (Internal)
These screens let you:
•Add: Configure and add a new group.
•Modify: Change parameters for a group that you have previously configured on the internal server. The screen title identifies the group you are modifying.
For many of these parameters, you can simply specify that the group "inherit" parameters from the base group, which you should configure first. You can also override the base-group parameters as you configure groups. See the User Management | Base Group screen.
On this screen, you configure the following kinds of parameters:
•Identity (Groups | Identity Tab): Name, password, and type.
•General (Groups | General Tab): Security, access, performance, and protocols.
•IPSec (Groups | IPSec Tab): IP Security tunneling protocol.
•Client Config (Groups | Client Config Tab): Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers.
•Client FW (Groups | Client FW Tab): VPN Client personal firewall requirements.
•HW Client (Groups | HW Client Tab): Interactive hardware client authentication and individual user authentication.
•PPTP/L2TP (Groups | PPTP/L2TP Tab): PPTP and L2TP tunneling protocols.
•WebVPN (Groups | WebVPN Tab): SSL VPN access.
•NAC (Groups | NAC Tab): Peer posture validation settings for Network Admission Control.
Using the Tabs
This screen includes several tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Add, Apply, or Cancel.
Groups | Identity Tab
This tab lets you configure the name, password, and authentication server type for this group.
Figure 13-14 Configuration | User Management | Groups | Add or Modify (Internal) Screen, Identity Tab
Screen Elements
•Group Name — Enter a unique name for this specific group. The name cannot match any existing user or group name. (If you are using an external authentication server, see the note about naming on page 13-48.) The maximum name length is 64 characters. Entries are case-sensitive. Changing a group name automatically updates the group name for all users in the group.
If you are setting up a group for remote access users connecting with digital certificates, first find out the value of the Organizational Unit (OU) field of the user's identity certificate. (Ask your certificate administrator for this information.) The group name you assign must match this value exactly. If some users in the group have different OU values, set up a different group for each of these users.
If the Group Name field configured here and the OU field of the user's identity certificate do not match, when the user attempts to connect, the VPN Concentrator considers the user to be a member of the base group. The base group parameter definitions might be configured differently than the user wants or expects. If the base group does not support digital certificates, the connection fails.
See the note about configuring the RADIUS Class attribute under User Management | Groups.
•Password — Enter a unique password for this group. The minimum password length is 4 characters. The maximum is 32 characters. Entries are case-sensitive. The field displays only asterisks.
•Verify — Re-enter the group password to verify it. The field displays only asterisks.
•Type — Select the authentication server type (authentication method) for this group:
–Internal = Use the internal VPN Concentrator authentication server. This is the default selection. If you select this type, configure the parameters on the other tabs on this screen. The VPN Concentrator automatically configures its internal server when you add the first internal group.
–External = Use an external authentication server, such as RADIUS, for this group. If you select this type, ignore the rest of the tabs and parameters on this screen. The external server supplies the group parameters if it can; otherwise the base-group parameters apply.
Groups | General Tab
This tab lets you configure general security, access, performance, and tunneling protocol parameters that apply to this internally configured group.
Figure 13-15 Configuration | User Management | Groups | Add or Modify (Internal) Screen, General Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Access Hours,
Simultaneous Logins,
Minimum Password Length,
Allow Alphabetic-Only Passwords,
Idle Timeout,
Maximum Connect Time,
Filter — See the instructions for User Management | Base Group | General Tab earlier in this guide.
•Primary DNS, Secondary DNS, Primary WINS, Secondary WINS — See the instructions for User Management | Base Group | General Tab earlier in this guide. Also, see the note that follows.
•SEP Card Assignment, Tunneling Protocols, Strip Realm, DHCP Network Scope — See the instructions for User Management | Base Group | General Tab earlier in this guide.
Note on DNS and WINS Entries
If the base group uses DNS or WINS, and:
•this group uses the base-group setting: check the appropriate Inherit box (the default).
•this group uses different DNS or WINS servers: uncheck the appropriate Inherit check box and enter this group's server IP address(es).
•this group does not use DNS or WINS: uncheck the appropriate Inherit check box and enter 0.0.0.0 in the IP address field.
If the base group does not use DNS or WINS, and:
•this group also does not use DNS or WINS: check the appropriate Inherit check box (the default).
•this group uses DNS or WINS: uncheck the appropriate Inherit check box and enter this group's server IP address(es).
Note WebVPN users get their DNS information from the DNS servers you configure globally in the System | Servers | DNS screen. They do not get DNS information from the Base Group or Group settings.
Groups | IPSec Tab
This tab lets you configure IP Security parameters that apply to this internally configured group.
Four parameters on this tab apply to WebVPN users in the group: Authentication, Authorization Type, Authorization Required, and DN field.
Figure 13-16 Configuration | User Management | Groups | Add or Modify (Internal) Screen, IPSec Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•IPSec SA,
IKE Peer Identity Validation,
IKE Keepalives,
Confidence Interval,
Tunnel Type,
Remote Access Parameters,
Group Lock,
Authentication,
Authorization Type,
Authorization Required,
DN Field,
IP Comp,
Reauthentication on Rekey,
Client Type & Version Limiting,
Mode Configuration — See the instructions for User Management | Base Group | IPSec Tab earlier in this guide.
Groups | Client Config Tab
These parameters apply to this group's IPSec clients. It has three sections: one for parameters specific to Cisco clients, one for Microsoft clients, and a third for common client parameters.
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Allow Password Storage on Client,
IPSec over UDP,
IPSec over UDP Port,
IPSec Backup Servers,
Intercept DHCP Configure Message,
Subnet Mask,
Banner,
Split Tunneling Policy,
Split Tunneling Network List,
Default Domain Name,
Split DNS Names — See the instructions for User Management | Base Group | Client Config Tab earlier in this guide.
Figure 13-17 Configuration | User Management | Groups | Add or Modify, Client Configuration Tab
Groups | Client FW Tab
This tab lets you configure firewall parameters for VPN Clients. See User Management | Base Group | Client FW Tab for a discussion of using firewalls.
Note Only VPN Clients running Microsoft Windows can use these firewall features. They are not presently available to hardware clients or other (non-Windows) software clients.
Figure 13-18 Configuration | User Management | Groups | Add or Modify (Internal) Screen, Client FW Parameters Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Firewall Setting, Firewall, Custom Firewall, Firewall Policy — See the instructions for User Management | Base Group | Client FW Tab earlier in this guide.
Groups | HW Client Tab
This tab lets you configure interactive hardware client authentication and individual user authentication for the group. You can enable either feature, both features together, or neither. By default, interactive hardware client authentication and individual user authentication are disabled.
Figure 13-19 Configuration | User Management | Groups | Add or Modify, HW Client Parameters Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Require Interactive Hardware Client Authentication,
Require Individual User Authentication,
User Idle Timeout,
Cisco IP Phone Bypass,
LEAP Bypass,
Allow Network Extension Mode — See the instructions for User Management | Base Group | HW Client Tab earlier in this guide.
Groups | PPTP/L2TP Tab
This section of the screen lets you configure PPTP and L2TP parameters that apply to this internally configured group. During tunnel establishment, the client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access. If you checked PPTP, L2TP, or L2TP over IPSec under Tunneling Protocols on the General tab, configure these parameters.
Figure 13-20 Configuration | User Management | Groups | Add or Modify (Internal) | PPTP/L2TP Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Use Client Address,
PPTP Authentication Protocols,
PPTP Encryption,
PPTP Compression,
L2TP Authentication Protocols,
L2TP Encryption,
L2TP Compression — See the instructions for User Management | Base Group | PPTP/L2TP Tab earlier in this guide.
•Add / Apply — When you finish setting or changing parameters on all tabs, click Add or Apply at the bottom of the screen to add this specific group to the list of configured groups, or to apply your changes. Both actions include your settings in the active configuration. The Manager returns to the User Management | Groups screen. Any new groups appear in alphabetical order in the Current Groups list.
•Cancel — To discard your settings, click the Cancel button. The Manager returns to the User Management | Groups screen, and the Current Groups list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | WebVPN Tab
This screen lets you configure access to network resources for WebVPN users in this group. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.
Note To enable WebVPN, you must also check the WebVPN checkbox in the Tunneling Protocols field on the User Management | Groups | General Tab.
End users need Sun Microsystems Java™ Runtime Environment (version 1.4 or later) installed for file access functionality to work properly.
Figure 13-21 Configuration | User Management | Groups | Add or Modify (Internal) Screen, WebVPN Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Enable URL Entry,
Enable File Access,
Enable File Server Entry,
Enable File Server Browsing — See the instructions for User Management | Base Group | WebVPN Tab earlier in this guide.
•Enable Port Forwarding — Check to enable port forwarding.
With this box checked remote users can access client/server applications by mapping local TCP ports on the system to remote ports on appropriate servers at the central site. You configure specific TCP ports for application access for a group in the User Management | Groups | WebVPN Port Forwarding | Add or Modify screens.
End users get information about the applications you configure in a java applet. Users launch this java applet by clicking the Application Access section of their WebVPN home page.
Note When users authenticate using digital certificates, the TCP Port Forwarding Java applet does not work. Java does not have the ability to access the web browser's keystore; therefore Java can not use the certificates that the browser used for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.
•Enable Outlook/Exchange Proxy,
Apply ACL,
Enable Auto Applet Download,
Enable Cisco SSL VPN Client,
Require Cisco SSL VPN Client,
Keep Cisco SSL VPN Client,
Port Forwarding Name,
Homepage,
Filter Java/Active X,
Filter Scripts,
Filter Images,
Filter Cookies from Images,
WebVPN ACLs — See the instructions for User Management | Base Group | WebVPN Tab earlier in this guide.
Tip After you construct WebVPN ACLs, be sure to check the Apply ACL box further up on the screen.
•Add / Apply — When you finish setting or changing parameters on all tabs, click Add or Apply at the bottom of the screen to add this specific group to the list of configured groups, or to apply your changes. Both actions include your settings in the active configuration. The Manager returns to the User Management | Groups screen. Any new groups appear in alphabetical order in the Current Groups list.
•Cancel — To discard your settings, click the Cancel button. The Manager returns to the User Management | Groups screen, and the Current Groups list is unchanged.
Groups | NAC Tab
This screen lets you configure network admission control (NAC) for users in this group. For background information on NAC and global NAC parameters, refer to Configuration | Policy Management | Network Admission Control (NAC).
Figure 13-22 Configuration | User Management | Groups | Add or Modify (Internal) Screen, NAC Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
–The Value column shows either base-group parameter settings that also apply to this group (Inherit checked), or unique parameter settings configured for this group (Inherit cleared).
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Enable NAC, Status Query Timer, Revalidation Timer, Default ACL (filter) — See the instructions for User Management | Base Group | NAC Tab earlier in this guide.
Groups | Modify (External)
This screen lets you change identity parameters for an external group that you have previously configured. The screen title identifies the group you are modifying.
Figure 13-23 Configuration | User Management | Groups | Modify (External) Screen
Screen Elements
•Group Name — Enter a unique name for this specific group. You can edit this field as desired. The maximum name length is 64 characters. Entries are case-sensitive. Changing a group name automatically updates the group name for all users in the group.
See the note about configuring the RADIUS Class attribute under User Management | Groups.
•Password — Enter a unique password for this group. The minimum password length is 4 characters. The maximum length is 32 characters. Entries are case-sensitive. The field displays only asterisks.
•Verify — Re-enter the group password to verify it. The field displays only asterisks.
•Type — Click the Type drop-down menu button and select the authentication server type for the group:
–Internal = To change this group to use the internal VPN Concentrator authentication server, select this type. If you change this group from External to Internal, the Manager displays the User Management | Groups | Add or Modify (Internal) screen when you click Apply, so you can configure all the parameters.
–External = To use only an external authentication server, such as RADIUS, keep this selection. The external server supplies the group parameters if it can; otherwise the base-group parameters apply.
•Apply — When you finish changing these parameters, click Apply to include your settings in the active configuration. The Manager returns to the User Management | Groups screen and refreshes the Current Groups list. However, if you change group type to Internal, the Manager displays the User Management | Groups | Add or Modify (Internal) screen so you can configure all the parameters.
•Cancel — To discard your settings, click the Cancel button. The Manager returns to the User Management | Groups screen, and the Current Groups list is unchanged.
Groups | Authentication Servers
This screen lets you add, modify, delete, or change the priority order of authentication servers for a group. You can add external RADIUS, NT Domain and SDI servers for authenticating users. To add an internal server, go to the System | Servers | Authentication screen.
If individual user authentication is enabled, the authentication servers you configure for the group here are used in the order of priority you set here. If you do not configure an external authentication server here, individual user authentication uses the internal authentication server on the VPN Concentrator.
Before you configure an external server, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret, password, etc.). The VPN Concentrator functions as the client of these servers.
You can configure and prioritize up to 10 authentication servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative. If no authentication servers area configured for the group, the global authentication server list applies.
The global authentication server list only applies if no authentication servers are configured for this group. If a group is configured (in the User Management | Groups | Add or Modify (Internal) screen, User Management | Groups | IPSec Tab, Authentication field) to use a type of authentication server not available on this list, the VPN Concentrator does not redirect the authentication request to a server in the global list. The authentication fails. If you want users in this group to use the global authentication server, do not define any servers, of any type, here.
For example, if you configure a group to authenticate using RADIUS, and if only an NT Domain server appears on this list, user authentication fails. If you want these users to use the global RADIUS server, do not configure any server here.
Figure 13-24 Configuration | User Management | Groups | Authentication Servers Screen
Screen Elements
•Servers — This list shows the configured authentication servers, in priority order. Each entry shows the server identifier and type, by IP address or by host name, for example: 192.168.12.34 (RADIUS). If no servers have been configured the list shows --Empty--. The first server of each type is the primary, the rest are backup.
•Add — To configure and add a new authentication server, click Add. The Manager opens the User Management | Groups | Authentication Servers | Add or Modify screen.
•Modify — To modify parameters for an authentication server that has been configured, select the server from the list and click Modify. The Manager opens the User Management | Groups | Authentication Servers | Add or Modify screen.
•Delete — To remove a server that has been configured, select the server from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining servers in the list. When you delete a server, any clients with no other authentication server configured use the server configured for the base group.
•Move Up / Move Down — To change the priority order for an authentication server, select the name in the Servers list and click Move Up or Move Down to move it up or down on the list of servers configured for this group.
•Test — To test a configured external user authentication server, select the server from the list and click Test. The Manager opens the User Management | Groups | Authentication Servers | Test screen. There is no need to test the internal server, and trying to do so returns an error message.
•Done — Click when you are finished configuring authentication servers. This action includes your settings in the active configuration. The Manager returns to the User Management | Groups screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | Authentication Servers | Add or Modify
These screens let you:
•Add: Configure and add a new user authentication server.
•Modify: Modify parameters for a configured user authentication server.
Click the drop-down menu button and select the Server Type. The screen and its available fields change depending on the Server Type. Choices are:
•Server Type = RADIUS = An external RADIUS server (default).
•Server Type = NT Domain = An external Windows NT Domain server.
•Server Type = SDI = An external RSA Security Inc. SecurID server.
•Server Type = Kerberos/Active Directory = An external Windows/Active Directory server or a UNIX/Linux Kerberos server.
Find your selected Server Type.
Server Type = RADIUS
Configure these parameters for a RADIUS authentication server.
Figure 13-25 Configuration | User Management | Groups | Authentication Servers |
Add or Modify RADIUS Screen
Screen Elements
•Authentication Server — Enter the IP address or host name of the RADIUS authentication server, for example: 192.168.12.34. The maximum length is 32 characters. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address. For maximum security, use an IP address.)
•Server Port — Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 1645.
Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default is 4 seconds. The maximum is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authentication server in the list. The minimum number of retries is 0. The default is 2. The maximum is 10.
•Server Secret — Enter the RADIUS server secret (also called the shared secret), for example: C8z077f. The maximum length is 64 characters. The field shows only asterisks.
•Verify — Re-enter the RADIUS server secret to verify it. The field shows only asterisks.
•Add / Apply — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the User Management | Groups | Authentication Servers screen. Any new server appears at the bottom of the Authentication Servers list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Authentication Servers screen, and the Authentication Servers list is unchanged
Server Type = NT Domain
Configure these parameters for a Windows NT Domain authentication server.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.
Figure 13-26 Configuration | User Management | Groups | Authentication Servers |
Add or Modify NT Domain Screen
Screen Elements
•Authentication Server Address — Enter the IP address of the NT Domain authentication server, for example: 192.168.12.34. Use dotted decimal notation.
•Server Port — Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 139.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next NT Domain authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.
•Domain Controller Name — Enter the NT Primary Domain Controller host name for this server, for example: PDC01. The maximum host name length is 16 characters. You must enter this name, and it must be the correct host name for the server for which you entered the IP Address in Authentication Server Address; if it is incorrect, authentication fails.
•Add / Apply — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the User Management | Groups | Authentication Servers screen. Any new server appears at the bottom of the Authentication Servers list.
Server Type = SDI
Configure these parameters for an RSA Security Inc. SecurID authentication server.
VPN Concentrator software version 3.6 supports both version 5.0 and versions prior to SDI 5.0.
About SDI Version pre-5.0
SDI versions prior to 5.0 use the concept of an SDI master and an SDI slave server which share a single node secret file (SECURID). On the VPN Concentrator you can configure one pre-5.0 SDI master server and one SDI slave server globally, and one SDI master and one SDI slave server per each group.
About SDI Version 5.0
SDI version 5.0 uses the concepts of an SDI primary and SDI replica servers. A primary and its replicas share a single node secret file. On the VPN Concentrator you can configure one SDI 5.0 server globally, and one per each group.
A version 5.0 SDI server that you configure on the VPN Concentrator can be either the primary or any one of the replicas. See the section below, "SDI Primary and Replica Servers" for information about how the SDI agent selects servers to authenticate users.
You can have one SDI primary server, and up to 10 replicas; use the SDI documentation for configuration instructions. The primary and all the replicas can authenticate users. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended. SDI servers that you configure here apply to this group.
Two-step Authentication Process
SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two VPN Concentrators using the same authentication servers simultaneously. After a successful username lock, the VPN Concentrator sends the passcode.
SDI Primary and Replica Servers
The VPN Concentrator obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The VPN Concentrator then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected.
Two-step Authentication Process
SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user passcode. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two VPN Concentrators using the same authentication servers simultaneously.
Figure 13-27 Configuration | User Management | Groups | Authentication Servers |
Add or Modify SDI Screen
Screen Elements
•Authentication Server — Enter the IP address or host name of the SDI authentication server, for example: 192.168.12.34. The maximum number of characters is 32. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•SDI Server Version — Use the drop-down menu to select the SDI server version you are using, pre-5.0 or 5.0.
•Server Port — Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 5500.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default is 4 seconds. The maximum is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next SDI authentication server in the list. The minimum number of retries is 0. The default is 2. The maximum is 10.
•Add / Apply — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the User Management | Groups | Authentication Servers screen. Any new server appears at the bottom of the Authentication Servers list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Authentication Servers screen, and the Authentication Servers list is unchanged
Server Type = Kerberos/Active Directory
Configure these parameters for a Kerberos/Active Directory server. The VPN Concentrator supports RC4-HMAC and DES-MD5 encryption types.
Note The VPN Concentrator does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the VPN Concentrator.
If you are configuring authentication to a Linux machine acting as a Kerberos server, check the available keys for the users you want to authenticate. The following key must be available: DES cbc mode with RSA-MD5, Version 5.
For example, if you are configuring authentication to a Red Hat Linux 7.3 server running Kerberos, check the available keys by completing the following steps:
Step 1 Enter the following command, where username is the name of the user you want to authenticate:
kadmin.local -q "getprinc username"
Step 2 If "DES cbc mode with RSA-MD5, Version 5" is not available for that user, edit the file kdc.conf. Add or move "des-cbc-md5" selections to the beginning of the "supported_enctypes =" line:
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
Step 3 Save the file.
Step 4 Restart the krb5kdc, kadmin, and krb524 services.
Step 5 Change the password for the user to create the "DES cbc mode with RSA-MD5" key:
kadmin.local -q "cpw -pw newpassword username"
Now you should be able to authenticate that user to your Linux/Unix Kerberos 5 server.
Figure 13-28 Configuration | User Management | Groups | Authentication Servers |
Add or Modify Kerberos/Active Directory Screen
Screen Elements
•Authentication Server — Enter the host name or IP address of the Kerberos/Active Directory authentication server, for example: 192.168.12.34. Use dotted decimal notation for IP addresses.
•Server Port — Enter the port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 88.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next Kerberos/Active Directory authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
•Realm — Enter the realm name for this server, for example: USDOMAIN.ACME.COM. The maximum length is 64 characters.
The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows.NET. If the letters are not uppercase, authentication fails.
You must enter this name, and it must be the correct realm name for the server for which you entered the IP address in Authentication Server. If it is incorrect, authentication fails.
•Add / Apply — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the User Management | Groups | Authentication Servers screen. Any new server appears at the bottom of the Authentication Servers list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Authentication Servers screen, and the Authentication Servers list is unchanged
Groups | Authentication Servers | Test
This screen let you test a configured external user authentication server to determine that:
•The VPN Concentrator is communicating properly with the authentication server.
•The server correctly authenticates a valid user.
•The server correctly rejects an invalid user.
Figure 13-29 Configuration | User Management | Groups | Authentication Servers | Test Screen
Screen Elements
•Username — To test connectivity and valid authentication, enter the username for a valid user who has been configured on the authentication server. The maximum username length is 64 characters. Entries are case-sensitive.
To test connectivity and authentication rejection, enter a username that is invalid on the authentication server.
•Password — Enter the password for the username. The maximum password length is 32 characters. Entries are case-sensitive. The field displays only asterisks.
•OK — To send the username and password to the selected authentication server, click OK. The authentication and response process takes a few seconds. The Manager displays a Success or Error screen.
•Cancel — To cancel the test and discard your entries, click Cancel. The Manager returns to the User Management | Groups | Authentication Servers screen.
Authentication Server Test: Success
If the VPN Concentrator communicates correctly with the authentication server, and the server correctly authenticates a valid user, the Manager displays a Success screen.
Figure 13-30 Authentication Server Test: Success Screen
Authentication Server Test: Authentication Rejected Error
If the VPN Concentrator communicates correctly with the authentication server, and the server correctly rejects an invalid user, the Manager displays an Authentication Rejected Error screen.
Figure 13-31 Authentication Server Test: Authentication Rejected Error Screen
•Retry the operation — Click to return to the User Management | Groups | Authentication Servers | Test screen.
•Go to main menu — Click to go to the main VPN Concentrator Manager screen.
Authentication Server Test: Authentication Error
If the VPN Concentrator cannot communicate with the authentication server, the Manager displays an Authentication Error screen. Error messages include:
•No response from server = There is no response from the selected server within the configured timeout and retry periods.
•No active server found = The VPN Concentrator cannot find an active, configured server to test.
The server might be improperly configured or out of service, the network might be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.
Figure 13-32 Authentication Server Test: Authentication Error Screen
•Retry the operation — Click to return to the User Management | Groups | Authentication Servers | Test screen.
•Go to main menu — Click to go to the main VPN Concentrator Manager screen.
Groups | Authorization Servers
This screen lets you add, modify, delete, or change the priority order of authorization servers for a group. You can add external RADIUS or LDAP servers for authorizing users.
Before you configure an external server, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers. For more information on setting up an external server for VPN Concentrator user authorization, see "Configuring an External Server for VPN Concentrator User Authorization."
You can configure and prioritize up to 10 authorization servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative. If no authorization servers are configured for the group, the global authentication server list applies.
The global authentication server list only applies if no authorization servers are configured for this group. If a group is configured (in the User Management | Groups | IPSec Tab, Authorization Type field) to use a type of authorization server not available on this list, the VPN Concentrator does not redirect the authorization request to a server in the global list. The authorization fails If you want users in this group to use the global authorization server, do not define any servers, of any type, here.
For example, if you configure a group to authorize using RADIUS, and if only an LDAP server appears on this list, user authorization fails. If you want these users to use the global RADIUS server, do not configure any server here.
Figure 13-33 Configuration | User Management | Groups | Authorization Servers Screen
Screen Elements
•Servers — This list shows the configured servers, in priority order. Each entry shows the server identifier and type, by IP address or by host name, for example: 192.168.12.34 (RADIUS). If no servers have been configured the list shows --Empty--. The first server of each type is the primary, the rest are backup.
•Add — To configure and add a new user-authorization server, click Add. The Manager opens the User Management | Groups | Authorization Servers | Add or Modify screen.
•Modify — To modify parameters for a configured user-authorization server, select the server from the list and click Modify. The Manager opens the User Management | Groups | Authorization Servers | Add or Modify screen.
•Delete — To remove a configured server, select the server from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining servers in the list.
•Move Up / Move Down — To change the priority order for a server, select the name in the Servers list and click Move Up or Move Down to move it up or down on the list of servers configured for this group.
•Test — To test a configured user-authorization server, select the server from the list and click Test. The Manager opens the User Management | Groups | Authorization Servers | Test screen. There is no need to test the internal server, and trying to do so returns an error message.
•Done — Click when you are finished configuring authorization servers. This action includes your settings in the active configuration. The Manager returns to the User Management | Groups screen.
Groups | Authorization Servers | Add or Modify
These screens let you:
•Add: Configure and add a new user authorization server.
•Modify: Modify parameters for a configured user authorization server.
For more information on configuring and using authorization servers, see System | Servers | Authorization.
Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. The choices are:
•Server Type = RADIUS = Use an external RADIUS (Remote Authentication Dial-In User Service) server for user authorization.
•Server Type = LDAP = Use an external LDAP (Lightweight Directory Access Protocol) server for user authorization.
Find your selected server type:
Server Type = RADIUS
Configure these parameters for a RADIUS authorization server.
Figure 13-34 Configuration | User Management | Groups | Authorization Servers | Add or Modify RADIUS Screen
Screen Elements
•Authorization Server — Enter the IP address or host name of the RADIUS authorization server, for example: 192.168.12.34. The maximum number of characters is 32.
•Server Port — Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 1645.
Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authorization server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.
•Server Secret — Enter the server secret (also called the shared secret) for the RADIUS server, for example: C8z077f. The VPN Concentrator uses the server secret to authenticate to the RADIUS server.
The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server.
The maximum field length is 64 characters. The field shows only asterisks.
•Verify — Re-enter the RADIUS server secret to verify it. The field shows only asterisks.
•Common User Password — Enter a common password for all users who are accessing this RADIUS authorization server through this VPN Concentrator.
The RADIUS authorization server requires a password and username for each connecting user. The VPN Concentrator provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this VPN Concentrator. Be sure to provide this information to your RADIUS server administrator.
If you leave this field blank, each user's password is his or her own username. For example, a user with the username "jsmith" would enter "jsmith". If you are using usernames for the Common User passwords, as a security precaution do not use this RADIUS server for authentication anywhere else on your network.
Note This field is essentially a space-filler. The RADIUS server expects and requires it, but does not use it. Users do not need to know it.
•Verify — Re-enter the Common User Password to verify it. The field shows only asterisks.
•Add / Apply — To add the new server to the list of configured user authorization servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the User Management | Groups | Authorization Servers screen. Any new server appears at the bottom of the Authorization Servers list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Authorization Servers screen, and the Authorization Servers list is unchanged
Server Type = LDAP
Configure these parameters for an LDAP authorization server.
Figure 13-35 Configuration | User Management | Groups | Authorization Servers | Add or Modify LDAP Screen
Screen Elements
•Authorization Server — Enter the IP address or hostname of the LDAP authorization server. Enter the IP address in dotted decimal notation, for example: 192.168.12.34.
•Server Port — Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 389.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next LDAP authorization server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
•Login DN — Some LDAP servers (including the Microsoft Active Directory server) require the VPN Concentrator to establish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The VPN Concentrator identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the VPN Concentrator's authentication characteristics; these characteristics should correspond to those of a user with administration privileges.
Enter the name of the directory object for VPN Concentrator authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com. For anonymous access, leave this field blank.
•Password — Enter the password for the Login DN.
•Verify — Re-enter the Login DN password to verify it. The field shows only asterisks.
•Base DN — Enter the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request. For example, OU=people, dc=cisco, dc=com.
•Search Scope — Choose the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
–One Level: Search only one level beneath the Base DN. This option is quicker.
–Subtree: Search all levels beneath the Base DN; in other words, search the entire subtree hierarchy. This option takes more time.
•Naming Attributes — Enter the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).
•Add / Apply — To add the new server to the list of configured user authorization servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the User Management | Groups | Authorization Servers screen. Any new server appears at the bottom of the Authorization Servers list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Authorization Servers screen, and the Authorization Servers list is unchanged.
Groups | Authorization Servers | Test
This screen lets you test a configured user authorization server to determine that:
•The VPN Concentrator is communicating properly with the authorization server.
•The server correctly authorizes a valid user.
•The server correctly rejects an authorization request for an invalid user.
Figure 13-36 Configuration | User Management | Groups | Authorization Servers | Test Screen
Screen Elements
•Username — To test connectivity and valid authorization, enter the username for a valid user who has been configured on the authorization server. The maximum username length is 32 characters. Entries are case-sensitive.
To test connectivity and authorization rejection, enter a username that is invalid on the authorization server.
•OK — To send the username to the chosen authorization server, click OK. The authorization and response process takes a few seconds. The Manager displays a Success or Error screen.
•Cancel — To cancel the test and discard your entries, click Cancel. The Manager returns to the User Management | Groups | Authorization Servers screen.
Authorization Server Test: Success
If the VPN Concentrator communicates correctly with the authorization server, and the server correctly authorizes a valid user, the Manager displays a Success screen.
Figure 13-37 Authorization Server Test: Success Screen
Authorization Server Test: Authorization Rejected Error
If the VPN Concentrator communicates correctly with the authorization server, and the server correctly rejects an invalid user, the Manager displays an Authorization Rejected Error screen.
Figure 13-38 Authorization Server Test: Authorization Rejected Error Screen
•Retry the operation — Click to return to the User Management | Groups | Authorization Servers | Test screen.
•Go to main menu — Click to go to the main VPN Concentrator Manager screen.
Authorization Server Test: Authorization Error
If the VPN Concentrator cannot communicate with the authorization server, the Manager displays an Authorization Error screen. Error messages include:
•No response from server = There is no response from the selected server within the configured timeout and retry periods.
•No active server found = The VPN Concentrator cannot find an active, configured server to test.
The server might be improperly configured or out of service, the network might be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.
Figure 13-39 Authorization Server Test: Authorization Error Screen
•Retry the operation — Click to return to the User Management | Groups | Authorization Servers | Test screen.
•Go to main menu — Click to go to the main VPN Concentrator Manager screen.
Groups | Accounting Servers
This screen lets you add, modify, delete, or move external RADIUS accounting servers for a group. Accounting servers collect data on user connect time, packets transmitted, etc., under the VPN tunneling protocols: PPTP, L2TP, and IPSec. For more information on RADIUS accounting servers, see System | Servers | Accounting.
You can configure and prioritize up to 10 accounting servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative. If no accounting servers are configured for a group, the Global accounting server list applies.
Before you configure an accounting server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, UDP port, server secret, etc.). The VPN Concentrator functions as the client of these servers.
Figure 13-40 Configuration | User Management | Groups | Accounting Servers Screen
Screen Elements
•Servers — The Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.
•Add — To configure and add a new accounting server, click Add. The Manager opens the User Management | Groups | Accounting Servers | Add or Modify screen.
•Modify — To modify parameters for an accounting server that has been configured, select the server from the list and click Modify. The Manager opens the User Management | Groups | Accounting Servers | Add or Modify screen.
•Delete — To remove a server that has been configured, select the server from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining servers in the list. When you delete a server, any clients with no other accounting server configured use the server configured for the base group.
•Move Up / Move Down — To change the priority order for an accounting server, select the server name and click Move Up or Move Down to move it up or down on the list of servers configured for this group.
•Done — When you are finished configuring accounting servers, click Done. This action includes your settings in the active configuration. The Manager returns to the User Management | Groups screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | Accounting Servers | Add or Modify
This section lets you add or modify RADIUS accounting servers for a group.
Figure 13-41 Configuration | User Management | Groups | Accounting Servers |
Add or Modify Screen
Screen Elements
•Accounting Server — Enter the IP address or host name of the RADIUS accounting server, for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•Server Port — Enter the UDP port number by which you access the accounting server. The default port number is 1646.
Note The latest RFC states that RADIUS accounting servers should be on UDP port number 1813, so you might need to change this default value to 1813.
•Timeout — Enter the time in seconds to wait after sending a query to the accounting server and receiving no response, before trying again. The minimum time is 1 second. The default time is 1 second. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the accounting server after the timeout period. If there is still no response after this number of retries, the system declares this server inoperative and uses the next accounting server in the list. The minimum number of retries is 0. The default is 3. The maximum is 10.
•Server Secret — Enter the server secret (also called the shared secret), for example: C8z077f. The field shows only asterisks.
•Verify — Re-enter the server secret to verify it. The field shows only asterisks.
•Add / Apply — To add this server to the list of configured user accounting servers, click Add. Or, to apply your changes to this user accounting server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the User Management | Groups | Accounting Servers screen. Any new server appears at the bottom of the Accounting Servers list.
Groups | Address Pools
This screen lets you configure IP address pools from which the VPN Concentrator assigns addresses to clients on a per-group basis. If no address pools are defined for a group, the globally defined address pools apply.
Figure 13-42 Configuration | User Management | Groups | Address Pools Screen
Screen Elements
•IP Pool Entry — The IP Pool Entry list shows the configured address pools for the group, in priority order. Each entry show the range of IP addresses. If no address pools have been configured, the list shows --Empty--..
•Add — To configure and add a new address pool, click Add. The Manager opens the User Management | Groups | Address Pools | Add or Modify screen.
•Modify — TTo modify an address pool that has been configured, select the pool entry from the list and click Modify. The Manager opens the User Management | Groups | Address Pools | Add or Modify screen.
•Delete — To remove an address pool that has been configured, select the pool from the list and click Delete.
•Move Up / Move Down — To change the priority order for an address pool, select the pool and click Move Up or Move Down to move it up or down on the list of address pools configured for this group.
•Done — When you are finished configuring address pools, click Done. This action includes your settings in the active configuration. The Manager returns to the User Management | Groups screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | Address Pools | Add or Modify
These screens let you:
•Add a new pool of IP addresses from which the VPN Concentrator assigns addresses to clients.
•Modify an IP address pool that you have previously configured.
The IP addresses in the pool range must not be assigned to other network resources.
Figure 13-43 Configuration | User Management | Groups | Address Pools | Add or Modify Screen
Screen Elements
•Range Start — Enter the first IP address available in this pool. For example: 10.10.147.100.
•Range End — Enter the last IP address available in this pool. For example: 10.10.147.177.
•Subnet Mask — Enter the subnet mask. For example: 255.255.255.254
•Add / Apply — To add this IP address pool to the list of configured pools, click Add. Or to apply your changes to this IP address pool, click Apply. Both actions include your entry in the active configuration. The Manager returns to the User Management | Groups | Address Pools screen. Any new pool appears at the end of the IP Pool Entry list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Address Pools screen, and the IP Pool Entry list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | Client Update
This screen lets you configure client update entries.
The VPN Concentrator can automate the process of updating client software. The feature applies to the VPN Client and to the VPN 3002 hardware client as follows. When configured
•VPN Clients automatically receive notification that they should update their software from the named URL.
•VPN 3002 hardware client software is automatically updated via TFTP.
Figure 13-44 Configuration | User Management | Groups | Client Update screen
Screen Elements
•Update entry — The Update Entry list displays configured client update entries.
•Add — To configure and add a new client update entry, click Add. The Manager opens the User Management | Groups | Client Update | Add or Modify screen.
•Modify — To modify an address pool that has been configured, select the entry from the list and click Modify. The Manager opens the User Management | Groups | Client Update | Add or Modify screen.
•Delete — To remove an client update entry that has been configured, select the entry from the list and click Delete.
•Done — When you are finished configuring client update entries, click Done. This action includes your settings in the active configuration. The Manager returns to the User Management | Groups screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | Client Update | Add or Modify
These screens let you configure client update parameters.
Figure 13-45 Configuration | User Management | Groups | Client Update | Add or Modify Screens
Screen Elements
•Client Type — Enter the client type you want to update. For the VPN Client, enter the Windows operating systems to notify:
–Windows includes all Windows based platforms.
–Win9X includes Windows 95, Windows 98, and Windows ME platforms.
–WinNT includes Windows NT 4.0, Windows 2000, and Windows XP platforms.
For the VPN 3002 Hardware Client, enter vpn3002.
In all cases the entry must be exact, including case and spacing.
Note The VPN Concentrator sends a separate notification message for each entry in a Client Update list. Therefore your client update entries must not overlap. For example, the value Windows includes all Windows platforms, and the value WinNT includes Windows NT 4.0, Windows 2000 and Windows XP platforms. So you would not include both Windows and WinNT.
•URL — Enter the URL for the software/firmware image. This URL must point to a file appropriate for this client.
–For the VPN Client: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:
http://10.10.99.70/vpnclient-win-3.5.Rel-k9.exe
The directory is optional. You need the port number only if you use ports other than 80 for http or 443 for https.
–For the VPN 3002 Hardware Client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:
tftp://10.10.99.70/vpn3002-3.5.Rel-k9.bin
The directory is optional.
•Revisions — Enter a comma separated list of software or firmware images appropriate for this client. The following caveats apply:
–The revision list must include the software version for this update.
–Your entries must match exactly those on the URL for the VPN Client, or the TFTP server for the VPN 3002.
–The URL above must point to one of the images you enter.
If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order.
–A VPN Client user must download an appropriate software version from the listed URL.
–The VPN 3002 Hardware Client software is automatically updated via TFTP.
•Add / Apply — To add this client update entry to the list of configured update entries, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the User Management | Groups | Client Update screen. Any new entry appears at the bottom of the Update Entries list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Client Update screen, and the Update Entries list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | Bandwidth Policy
Figure 13-46 Configuration | User Management | Groups | Bandwidth Policy Screen
Click the interface on which you want to configure Bandwidth Management for this group.
To apply a bandwidth policy to a group on an interface, bandwidth management must be enabled on that interface. If you choose an interface on which bandwidth management is disabled, this warning appears.(See Figure 13-47.) You must enable bandwidth management on the interface before you can continue.
Figure 13-47 Configuration | User Management | Groups | Bandwidth Policy | Interfaces Screen 1
If you choose an interface on which bandwidth management is enabled, the User Management | Groups | Bandwidth Policy | Interfaces screen appears. (See Figure 13-48.)
Groups | Bandwidth Policy | Interfaces
This screen lets you apply a group-wide bandwidth policy.
To configure bandwidth policy for interfaces, use the Bandwidth tab on the Interfaces | Ethernet screen.
Before you can apply a bandwidth policy to a group, you must first:
•Define the policy. You do not define the policy itself on this screen. To define bandwidth policies, use the Policy Management | Traffic Management | Bandwidth Policies screen.
•Enable bandwidth management on the interface the group is using. To enable bandwidth management on an interface, use the Interfaces | Ethernet screen, Bandwidth Parameters tab.
•If you want the group to use a bandwidth reservation policy, you must first apply a bandwidth reservation policy to the interface the group is using. To apply a policy to an interface, use the Interfaces | Ethernet screen, Bandwidth Parameters tab.
Figure 13-48 Configuration | User Management | Groups | Bandwidth Policy Screen
Screen Elements
•Policy — Select a bandwidth policy for the group for this interface. If you do not want to apply a Bandwidth Management policy here, then select None.
•Bandwidth Aggregation — Enter a value for the minimum bandwidth to reserve for this group and select a unit of measurement:
–bps — bits per second
–kbps — one thousand bits per second
–Mbps — one million bits per second
The default value of Bandwidth Aggregation is 0. The default unit of measurement is bps. If you want the group to share in the available bandwidth on the interface, enter 0.
•Apply — To apply this bandwidth policy, click Apply. This action includes your entry in the active configuration. The Manager returns to the User Management | Groups | Bandwidth Policy screen.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | Bandwidth Policy screen, and the active configuration is unchanged.
Groups | WebVPN Servers and URLs
This section lets you configure access to network resources for WebVPN users in this group. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.
Note To enable WebVPN, you must also check the WebVPN checkbox in the Tunneling Protocols field of the User Management | Base Group | General Tab.
End users need Sun Microsystems Java™ Runtime Environment (version 1.4 or later) for application access to work properly.
Figure 13-49 Configuration | User Management | Groups | WebVPN Servers and URLs Screen
Screen Elements
•Servers and URLs — This box lists all the servers and URLs that are accessible over a WebVPN connection to users in this group.
•Add — To configure and add a new WebVPN server and URL entry, click Add. The Manager opens the User Management | Groups | WebVPN Servers and URLs | Add or Modify screen.
•Modify — To modify a server and URL entry that has been configured, select the entry from the list and click Modify. The Manager opens the User Management | Groups | WebVPN Servers and URLs | Add or Modify screen.
•Delete — To remove a WebVPN server entry that has been configured, select the entry from the list and click Delete.
•Done — When you are finished configuring entries, click Done. This action includes your settings in the active configuration. The Manager returns to the User Management | Groups screen.
Groups | WebVPN Servers and URLs | Add or Modify
This section lets you configure servers and URLs that users in this group can access through a WebVPN connection. The types of servers you configure here include HTTP and file servers that provide the following resources: file shares, internal websites, e-mail proxies, and e-mail servers.
The user home page displays all servers that you configure here. If you configure no servers or URLs for the group, the global list of users and servers (Tunneling and Security | WebVPN | Servers and URLs) is available to users in this group.
Figure 13-50 Configuration | User Management | Groups | WebVPN Servers and URLs | Add/Modify Screen
Screen Elements
•Name — Enter a short name or description that identifies this resource to end users.
•Server Type — Select the type of server you are configuring.
–CIFS servers are file servers.
–HTTP servers are web servers.
–HTTPS servers are SSL encrypted web servers.
•Remote Server — Enter the URL, DNS name, or network path of the remote server for end users to access.
•Add / Apply — To add this entry to the list of configured servers and URLs, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the User Management | Groups | WebVPN Servers and URLs screen. Any new entry appears at the end of the Servers and URLs list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | WebVPN Servers and URLs screen, and the Servers and URLs list is unchanged.
Groups | WebVPN Port Forwarding
WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application.
Cisco has tested the following applications:
•Windows Terminal Services
•Telnet
•Secure FTP (FTP over SSH)
•Perforce
•Outlook Express
•Lotus Notes
Other TCP-based applications may also work, but Cisco has not tested them.
Note Port Forwarding does not work with some SSL/TLS versions. See Tunneling and Security | SSL | Protocols for more information.
Figure 13-51 Configuration | User Management | Groups | WebVPN Port Forwarding Screen
Screen Elements
•Forwarded Ports — This box lists all the applications that users in this group can access over a WebVPN connection. The format is:
Application name (Local TCP port -> Remote application server name or IP address:Remote TCP port).
•Add — To configure and add a new application over WebVPN, click Add. The Manager opens the User Management | Groups | WebVPN Port Forwarding | Add or Modify screen.
•Modify — To modify an already configured application, select the entry from the list and click Modify. The Manager opens the User Management | Groups | WebVPN Port Forwarding | Add or Modify screen.
•Delete — To remove an application that has been configured, select the entry from the list and click Delete.
•Done — When you are finished configuring entries, click Done. This action includes your settings in the active configuration. The Manager returns to the User Management | Groups screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Groups | WebVPN Port Forwarding | Add or Modify
This screen lets you add or modify access to TCP-based applications for users in the group. You can have a maximum of 252 port forwarding entries.
Using Hostnames vs. IP Addresses
When you use a hostname to identify a remote server, the Java applet modifies the WebVPN Application Access hosts file (assuming the OS is Windows, and you have administrative privileges on the PC) to create an entry for each application server. For example, when you configure your first Port Forwarding remote server with hostname johndoew2ksrv, the Java applet creates a backup copy of the original hosts file, and then modifies the hosts file to include a WebVPN entry that maps johndoew2ksrv to a loopback IP address of 127.0.0.2. If your second port forwarding entry is NotesServer, the Java applet adds to the hosts file an entry that maps NotesServer to 127.0.0.3. These entries are then associated with the real remote application ports. Each entry is unique by virtue of the loopback address the Java applet assigns.
When you use an IP address to identify the remote server, the Java applet does not back up or modify the hosts file. It assigns each server the loopback IP address of 127.0.0.1 and the TCP port that is configured as the Local TCP Port. Since the assigned IP address is always 127.0.0.1, each entry must have a unique Local TCP Port to differentiate applications.
You configure client applications to communicate to a server address. When you use the hostname and remote TCP port, addressing information for application servers is the same regardless of the user's location. When you use an IP address and local TCP port, addressing information changes as the user changes locations, and you have to reconfigure client applications on users' PCs.
To summarize:
If you use IP addresses, users need to have client applications point to a 127.0.0.1 address and local port that can vary from location to location when connecting over WebVPN. They must reconfigure applications to a real IP address and port when they connect locally.
If you use hostnames, users can set their client applications to connect to the real hostname and TCP port for both remote WebVPN and directly connected sessions.
Figure 13-52 Configuration | User Management | Groups |WebVPN Port Forwarding Add/Modify Screen
Screen Elements
•Name — Enter a name or description by which remote users can readily identify the service or application.
•Local TCP Port — Assign a TCP port on the user's PC for this application to use. In the PC's hosts file, the VPN Concentrator appends this local TCP port to the PC's loopback IP address. This is how it uniquely names an application when the remote server is identified by IP address. If the you use a hostname to identify the remote server, the VPN Concentrator appends the hostname to the loopback address, and ignores the local TCP port value.
Set the port in the range from 1024 to 65535 to avoid conflicts with existing services that may be on the user's workstation.
•Remote Server — Enter the hostname or IP address of the remote server that supports this service or application.
While the VPN Concentrator accepts either IP addresses or hostnames, we recommend using hostnames because it is easier. If you use hostnames, you do not have to change the IP address of the server for client applications depending on whether the user is accessing these application locally or remotely. The following sections explain why this is so.
•Remote TCP Port — Enter the TCP/IP port for the client PC to use for this service or application. This is the real TCP port for the application; for example, the 23 is the well-known port for Telnet
•Add / Apply — To add this forwarded port to the list of configured forwarded ports, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the User Management | Groups | WebVPN Port Forwarding screen. Any new entry appears at the end of the Forwarded Ports list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the User Management | Groups | WebVPN Port Forwarding screen, and the Forwarded Ports list is unchanged.
The WebVPN Application Access Window
To use applications over WebVPN, an end user clicks Application Access on the WebVPN home page. A Java applet opens the Application Access window, see Figure 13-53 for an example. This window displays the port forwarding applications previously configured in the Tunneling and Security | WebVPN | Port Forwarding | Add or Modify screens.
Figure 13-53 Example of a WebVPN Application Access Window
Application Access Window Fields
The fields in the Application Access window provide the following information.
•Name — Identifies the application. This is the name that you assign in the Tunneling and Security | WebVPN | Port Forwarding | Add or Modify screen.
•Local — The hostname or IP address and TCP port on the user's PC that this application uses.
•Remote — The hostname or IP address and port of the remote server that supports this service or application.
Note If you use hostnames for the Remote Server parameter in the Tunneling and Security | WebVPN | Port Forwarding | Add or Modify screen, the values in the Local and Remote fields in the Application Access window are identical. See the section, "Using Hostnames vs. IP Addresses" to understand why it is simpler to use hostnames.
•Bytes Out/In — Records data traffic for the application in the current session.
•Sockets — The number of sockets for the application in the current session.
About the Hosts File
WebVPN provides access to TCP-based applications by mapping application-specific ports on the end user's PC to application-specific ports on servers behind the VPN Concentrator. When an end user accesses an application over WebVPN using hostnames to identify the application server, the VPN Concentrator modifies the Hosts file to include a mapping entry for that application.
Figure 15-33 provides an example of what the Hosts file would look like for the applications configured for the WebVPN session in Figure 13-53 above. Notice that the Hosts file has entries for the application servers identified by hostnames. The Hosts file does not record those identified by IP address.
Find the hosts file on your PC in WINDOWS > SYSTEM32 > DRIVERS > ETC.
Users
This section of the Manager lets you configure access, use, and authentication parameters for users. Users inherit parameters from the specific group to which they belong.
Configuring users in this section means configuring them in the VPN Concentrator internal authentication server. If you have not configured the internal authentication server, this screen displays a notice that includes a link to the System | Servers | Authentication screen. The system also automatically configures the internal server when you add the first user.
See the discussion of groups and users in the User Management section at the beginning of this chapter. Remember:
•The maximum number of groups and users (combined) that you can configure depends on your VPN Concentrator model. (See Table 13-1.)
•A user can be a member of only one group.
•Users who are not members of a specific group are, by default, members of the base group. Therefore, to ensure maximum security and control, you should assign all users to appropriate specific groups, and you should configure base-group parameters carefully.
Figure 13-54 Configuration | User Management | Users Screen
Screen Elements
•Current Users — This list shows configured users in alphabetical order. If no users have been configured, the list shows --Empty--.
•Add — To configure a new user, click Add. The Manager opens the User Management | Users | Add or Modify screen.
•Modify — To modify a user that has been configured, select the user from the list and click Modify. The Manager opens the User Management | Users | Add or Modify screen.
•Delete — To remove a user that has been configured, select the user from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining users in the list.
Users | Add or Modify
These Manager screens let you:
•Add: Configure a new user and that user's parameters on the internal authentication server.
•Modify: Change parameters for a user that you have previously configured on the internal authentication server. The screen title identifies the user you are modifying.
For many of these parameters, you can simply specify that the user "inherit" parameters from a group; and a user can be assigned either to a configured group or to the base group. Users who are not members of a configured group are, by default, members of the base group.
On this screen, you configure four kinds of parameters:
•Identity Parameters: name, password, group, and IP address.
•General Parameters: access, performance, and allowed tunneling protocols.
•IPSec Parameters: IP Security tunneling protocol.
•PPTP/L2TP Parameters: PPTP and L2TP tunneling protocols.
Tip To streamline the configuration process, just fill in the Identity Parameters tab (assigning the user to a configured group), and click Add. Then select the user and click Modify. The user inherits the group parameters, and the Modify screen shows group parameters instead of base-group parameters.
Before configuring these parameters, you should configure the base-group parameters on the User Management | Base Group screen, and configure group parameters on the User Management | Groups screen.
Using the Tabs
This screen includes four tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Add/Apply or Cancel.
Users | Identity Tab
This tab lets you configure the name, password, group, and IP address for this user.
Figure 13-55 Configuration | User Management | Users | Add or Modify, Identity Parameters Tab
Screen Elements
•Username — Enter a unique name for this user. The maximum name length is 64 characters. Entries are case-sensitive.
If you change this name, this user profile replaces the existing profile.
•Password — Enter a unique password for this user. The minimum length must satisfy the minimum for the group to which you assign this user (base group or specific group). The maximum length is 32 characters. Entries are case-sensitive. The field displays only asterisks.
•Verify — Re-enter the user password to verify it. The field displays only asterisks.
•Group — Click this drop-down menu button and select the group to which you assign this user. The list shows specific groups you have configured, plus Base Group — the default group with its base-group parameters.
•IP Address — Enter the IP address assigned to this user. Enter this address only if you assign this user to the base group or an internally configured group, and if you configure Use Address from Authentication Server on the System | Address Management | Assignment screen. Otherwise, leave this field blank.
•Subnet Mask — Enter the subnet mask assigned to this user. Enter this mask only if you configure an IP address in the preceding field; otherwise leave this field blank.
Users | General Tab
This tab lets you configure general access, performance, and allowed tunneling protocols that apply to this user.
Figure 13-56 Configuration | User Management | Users | Add or Modify Screen, General Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to group parameters: Does this specific group inherit the given setting from the group? On the Add screen, this check box causes the user to inherit the base-group parameter setting. On the Modify screen, this check box causes the users to inherit its assigned-group parameter setting; the assigned group can be the base group or a configured group.
Users inherit settings from the group by default. To override the group setting, uncheck the box. If you uncheck the check box, you must enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either group parameter settings that also apply to this user (Inherit checked), or unique parameter settings configured for this user (Inherit cleared). You cannot configure a grayed-out parameter.
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Access Hours, Simultaneous Logins, Idle Timeout, Maximum Connect Time — See the instructions for User Management | Base Group | General Tab earlier in this guide.
•Filter — See the instructions for User Management | Base Group | General Tab earlier in this guide, and refer to the section, Release 4.1 Affects Filters, below.
•SEP Card Assignment, Tunneling Protocols — See the instructions for User Management | Base Group | General Tab earlier in this guide.
Release 4.1 Affects Filters
The 4.0 VPN Concentrator enforces filter rules as follows:
•Rule 1. Allow HTTPS In/Out for PC 1.
•Rule 2. Drop all other HTTPS traffic (the default action).
When you upgrade to Release 4.1 and enable the Allow Management HTTPS sessions or Allow WebVPN HTTPS sessions parameters on the public interface, enforcement changes. The VPN Concentrator now enforces filter rules in the following order:
•Rule 1. Allow HTTPS in/out for PC 1.
•Rule 2. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.
•Rule 3. Drop all other HTTPS traffic (the default action).
Rule 2 prevents Rule 3 from ever being enforced. Any PC on the public network can HTTPS in or out of the VPN Concentrator.
With Release 4.1 you must explicitly define rules to disallow HTTPS traffic from specific PCs. In the following example, you must define Rule 2:
•Rule 1. Allow HTTPS In/Out for PC 1.
•Rule 2. Disallow every other PC (0.0.0.0/255.255.255.255).
•Rule 3. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.
•Rule 4. Drop all other HTTPS traffic (the default action).
Users | IPSec Tab
This tab lets you configure IP Security Protocol parameters that apply to this user. If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the Users | General Tab, configure this section.
Figure 13-57 Configuration | User Management | Users | Add or Modify Screen, IPSec Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to group parameters: Does this specific group inherit the given setting from the group? On the Add screen, this check box causes the user to inherit the base-group parameter setting. On the Modify screen, this check box causes the users to inherit its assigned-group parameter setting; the assigned group can be the base group or a configured group.
Users inherit settings from the group by default. To override the group setting, uncheck the box. If you uncheck the check box, you must enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either group parameter settings that also apply to this user (Inherit checked), or unique parameter settings configured for this user (Inherit cleared). You cannot configure a grayed-out parameter.
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•IPSec SA — See the instructions for User Management | Base Group | IPSec Tab earlier in this guide.
•Store Password on Client — See the instructions for User Management | Base Group | Client Config Tab earlier in this guide. This parameter has no bearing on individual user authentication for a VPN 3002.
Users | PPTP/L2TP Tab
This tab lets you configure PPTP and L2TP parameters that apply to this user. During tunnel establishment, the user client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access. If you checked PPTP, L2TP, or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure these parameters.
Figure 13-58 Configuration | User Management | Users | Add or Modify Screen, PPTP/L2TP Tab
Screen Elements
•Value / Inherit? — On this tabbed section:
–The Inherit check box refers to group parameters: Does this specific group inherit the given setting from the group? On the Add screen, this check box causes the user to inherit the base-group parameter setting. On the Modify screen, this check box causes the users to inherit its assigned-group parameter setting; the assigned group can be the base group or a configured group.
Users inherit settings from the group by default. To override the group setting, uncheck the box. If you uncheck the check box, you must enter or change any corresponding Value field; do not leave the field blank.
–The Value column thus shows either group parameter settings that also apply to this user (Inherit checked), or unique parameter settings configured for this user (Inherit cleared). You cannot configure a grayed-out parameter.
Note The setting of the Inherit check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.
•Use Client Address, PPTP Authentication Protocols, L2TP Authentication Protocols — See the instructions for User Management | Base Group | PPTP/L2TP Tab earlier in this guide.
Note At the User level for PPTP and L2TP Authentication Protocols, EAP Proxy as shown under User Management | Base Group | PPTP/L2TP Tab is not available.
•Add / Apply — When you finish setting or changing parameters on all tabs, click Add or Apply at the bottom of the screen to Add this user to the list of configured internal users, or to Apply your changes. Both actions include your settings in the active configuration. The Manager returns to the User Management | Users screen. Any new users appear in alphabetical order in the Current Users list.
•Cancel — To discard your settings, click Cancel. The Manager returns to the User Management | Users screen, and the Current Users list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
