Cisco ASA 5505 User Manual

67-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Configuring Connection Profiles

The following example inherits the authentication server group from the default remote access group.

hostname(config-group-policy)# no nac-authentication-server-group

hostname(config-group-policy)

Note

NAC requires a Cisco Trust Agent on the remote host.

Step 8

Specify whether to strip the group or the realm from the username before passing it on to the AAA server.
The default is not to strip either the group name or the realm.

hostname(config-tunnel-general)# strip-group

hostname(config-tunnel-general)# strip-realm

hostname(config-tunnel-general)#

A realm is an administrative domain. If you strip the realm, the ASA uses the username and the group
(if present) authentication. If you strip the group, the ASA uses the username and the realm (if present)
for authentication.Enter the strip-realm command to remove the realm qualifier, and use the strip-group
command to remove the group qualilfier from the username during authentication. If you remove both
qualifiers, authentication is based on the username alone. Otherwise, authentication is based on the full
username@realm or username<delimiter> group string. You must specify strip-realm if your server is
unable to parse delimiters.

Step 9

Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password
management.

Note

If you are using an LDAP directory server for authentication, password management is
supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun
ONE Directory Server) and the Microsoft Active Directory.

Sun—The DN configured on the ASA to access a Sun directory server must be able to access
the default password policy on that server. We recommend using the directory administrator, or
a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.

Microsoft—You must configure LDAP over SSL to enable password management with
Microsoft Active Directory.

See the

“Configuring Authorization with LDAP for VPN” section on page 35-16

for more

information.

This feature, which is disabled by default, warns a user when the current password is about to expire.
The default is to begin warning the user 14 days before expiration:

hostname(config-tunnel-general)# password-management

hostname(config-tunnel-general)#

If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration
to begin warning the user about the pending expiration:

hostname(config-tunnel-general)# password-management [password-expire in days n]

hostname(config-tunnel-general)#