Cisco ASA 5505 User Manual

67-22

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Configuring Connection Profiles

hostname(config-tunnel-general)# accounting-server-group comptroller

hostname(config-tunnel-general)#

Step 7

Optionally, specify the name of the default group policy. The default value is DfltGrpPolicy:

hostname(config-tunnel-general)# default-group-policy policyname

hostname(config-tunnel-general)#

The following example sets MyDfltGrpPolicy as the name of the default group policy:

hostname(config-tunnel-general)# default-group-policy MyDfltGrpPolicy

hostname(config-tunnel-general)#

Step 8

Optionally, specify the name or IP address of the DHCP server (up to 10 servers), and the names of the
DHCP address pools (up to 6 pools). Separate the list items with spaces. The defaults are no DHCP
server and no address pool.

hostname(config-tunnel-general)# dhcp-server server1 [...server10]

hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1

[...address_pool6]

hostname(config-tunnel-general)#

Note

The interface name must be enclosed in parentheses.

You configure address pools with the ip local pool command in global configuration mode. See

Chapter 68, “Configuring IP Addresses for VPNs”

for information about configuring address pools.

Step 9

Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password
management.

Note

If you are using an LDAP directory server for authentication, password management is supported with
the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server)
and the Microsoft Active Directory.

•

Sun—The DN configured on the ASA to access a Sun directory server must be able to access the
default password policy on that server. We recommend using the directory administrator, or a user
with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the
default password policy.

•

Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.

See the

“Configuring Authorization with LDAP for VPN” section on page 35-16

for more information.

This feature, which is enabled by default, warns a user when the current password is about to expire. The
default is to begin warning the user 14 days before expiration:

hostname(config-tunnel-general)# password-management

hostname(config-tunnel-general)#

If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration
to begin warning the user about the pending expiration:

hostname(config-tunnel-general)# password-management [password-expire in days n]

hostname(config-tunnel-general)#