Cisco ASA 5505 User Manual
Page 1452
67-26
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
hostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributes
hostname(config-tunnel-webvpn)# group-alias “Cisco Remote Access” enable
hostname(config-tunnel-webvpn)# group-url http://www.cisco.com enable
hostname(config-tunnel-webvpn)# group-url http://192.168.10.10 enable
hostname(config-tunnel-webvpn)#
For a more extensive example, see
Customizing Login Windows for Users of Clientless SSL VPN
Step 6
To exempt certain users from running Cisco Secure Desktop on a per connection profile basis if they
enter one of the group-urls, enter the following command:
hostname(config-tunnel-webvpn)# without-csd
hostname(config-tunnel-webvpn)#
Note
Entering this command prevents the detection of endpoint conditions for these sessions, so you
may need to adjust the dynamic access policy (DAP) configuration.
Step 7
To specify the DNS server group to use for a connection profile for clientless SSL VPN sessions, use
the dns-group command. The group you specify must be one you already configured in global
configuration mode (using the dns server-group and name-server commands).
By default, the connection profile uses the DNS server group DefaultDNS. However, this group must be
configured before the security appliance can resolve DNS requests.
The following example configures a new DNS server group named corp_dns and specifies that server
group for the connection profile telecommuters:
hostname(config)# dns server-group corp_dns
hostname(config-dns-server-group)# domain-name cisco.com
hostname(config-dns-server-group)# name-server 209.165.200.224
hostname(config)# tunnel-group telecommuters webvpn-attributes
hostname(config-tunnel-webvpn)# dns-group corp_dns
hostname(config-tunnel-webvpn)#
Step 8
(Optional) To enable extracting a username from a client certificate for use in authentication and
authorization, use the pre-fill-username command in tunnel-group webvpn-attributes mode. There is no
default value.
hostname(config)# pre-fill-username {ssl-client
| clientless}
The pre-fill-username command enables the use of a username extracted from the certificate field
specified in the username-from-certificate command (in tunnel-group general-attributes mode) as the
username for username/password authentication and authorization. To use this pre-fill username from
certificate feature, you must configure both commands.
Note
In Release 8.0.4, the username is not pre-filled; instead, any data sent in the username field is
ignored.
The following example, entered in global configuration mode, creates an IPsec remote access tunnel
group named remotegrp, enables getting the username from a certificate, and specifies that the name for
an authentication or authorization query for an SSL VPN client must be derived from a digital certificate:
hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp general-attributes
hostname(config-tunnel-general)# username-from-certificate CN OU
hostname(config)# tunnel-group remotegrp webvpn-attributes
hostname(config-tunnel-webvpn)# pre-fill-username ssl-client