Cisco ASA 5505 User Manual

67-23

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Configuring Connection Profiles

Note

The password-management command, entered in tunnel-group general-attributes
configuration mode replaces the deprecated radius-with-expiry command that was formerly
entered in tunnel-group ipsec-attributes mode.

When you configure this command, the ASA notifies the remote user at login that the user’s current
password is about to expire or has expired. The ASA then offers the user the opportunity to change the
password. If the current password has not yet expired, the user can still log in using that password. The
ASA ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, the number
of days ahead of expiration that the ASA starts warning the user that the password is about to expire.

If you do specify the password-expire-in-days keyword, you must also specify the number of days.

See

Configuring Microsoft Active Directory Settings for Password Management, page 67-28

for more

information.

Step 10

Specifying this command with the number of days set to 0 disables this command. The ASA does not
notify the user of the pending expiration, but the user can change the password after it
expires.Optionally, configure the ability to override an account-disabled indicator from the AAA server,
by entering the override-account-disable command:

hostname(config-tunnel-general)# override-account-disable

hostname(config-tunnel-general)#

Note

Allowing override account-disabled is a potential security risk.

Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions

To configure the parameters specific to a clientless SSL VPN connection profile, follow the steps in this
section. Clientless SSL VPN was formerly known as WebVPN, and you configure these attributes in
tunnel-group webvpn-attributes mode.

Step 1

To specify the attributes of a clientless SSL VPN tunnel-group, enter tunnel-group webvpn-attributes
mode by entering the following command. The prompt changes to indicate the mode change:

hostname(config)# tunnel-group tunnel-group-name webvpn-attributes

hostname(config-tunnel-ipsec)#

For example, to specify the webvpn-attributes for the clientless SSL VPN tunnel-group named sales,
enter the following command:

hostname(config)# tunnel-group sales webvpn-attributes

hostname(config-tunnel-webvpn)#

Step 2

To specify the authentication method to use: AAA, digital certificates, or both, enter the authentication
command. You can specify either aaa or certificate or both, in any order.

hostname(config-tunnel-webvpn)# authentication authentication_method

hostname(config-tunnel-webvpn)#

For example, The following command allows both AAA and certificate authentication:

hostname(config-tunnel-webvpn)# authentication aaa certificate