Cisco ASA 5505 User Manual

67-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Configuring Connection Profiles

The values for the DN fields to extract from the certificate for use as a secondary username are the same
as for the primary username-from-certificate command. Alternatively, you can specify the use-script
keyword, which directs the ASA to use a script file generated by ASDM.

For example, to specify the Common Name as the primary username field and Organizational Unit as
the secondary username field, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes

hostname(config-tunnel-general)# username-from-certificate cn

hostname(config-tunnel-general)# secondary-username-from-certificate ou

Step 3

Specify the secondary-pre-fill-username command in tunnel-group webvpn-attributes mode to enable
extracting a secondary username from a client certificate for use in authentication. Use the keywords to
specify whether this command applies to a clientless connection or an SSL VPN (AnyConnect) client
connection and whether you want to hide the extracted username from the end user. This feature is
disabled by default. Clientless and SSL-client options can both exist at the same time, but you must
configure them in separate commands.

hostname(config-tunnel-general)# secondary-pre-fill-username-from-certificate {clientless

| ssl-client} [hide]

For example, to specify the use of pre-fill-username for both the primary and secondary authentication
for a connection, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes

hostname(config-tunnel-general)# pre-fill-username ssl-client

hostname(config-tunnel-general)# secondary-pre-fill-username ssl-client

Step 4

Specify which authentication server to use to obtain the authorization attributes to apply to the
connection. The primary authentication server is the default selection. This command is meaningful only
for double authentication.

hostname(config-tunnel-general)# authentication-attr-from-server {primary | secondary}

For example, to specify the use of the secondary authentication server, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes

hostname(config-tunnel-general)# authentication-attr-from-server secondary

Step 5

Specify which authentication username, primary or secondary, to associate with the session. The default
value is primary. With double authentication enabled, it is possible that two distinct usernames are
authenticated for the session. The administrator must designate one of the authenticated usernames as
the session username. The session username is the username provided for accounting, session database,
syslogs, and debug output.

hostname(config-tunnel-general)# authenticated-session-username {primary | secondary}

For example, to specify that the authentication username associated with the session must come from the
secondary authentication server, enter the following commands:

hostname(config-tunnel-general)# tunnel-group test1 general-attributes

hostname(config-tunnel-general)# authenticated-session-username secondary

Configuring Remote-Access Connection Profile IPsec IKEv1 Attributes

To configure the IPsec IKEv1 attributes for a remote-access connection profile, do the following steps.
The following description assumes that you have already created the remote-access connection profile.
Remote-access connection profiles have more attributes than LAN-to-LAN connection profiles: