Cisco ASA 5505 User Manual

67-55

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Group Policies

Note

You must configure mac-exempt to exempt the clients from authentication. Refer to the

“Configuring Device Pass-Through” section on page 71-8

for more information.

Configuring LEAP Bypass

When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware
client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco
wireless access point devices establish LEAP authentication and then authenticate again per user
authentication. LEAP Bypass is disabled by default.

To allow LEAP packets from Cisco wireless access points to bypass individual users authentication,
enter the leap-bypass command with the enable keyword in group-policy configuration mode. To
disable LEAP Bypass, enter the disable keyword. To remove the LEAP Bypass attribute from the
running configuration, enter the no form of this command. This option allows inheritance of a value for
LEAP Bypass from another group policy:

hostname(config-group-policy)# leap-bypass {enable | disable}

hostname(config-group-policy)# no leap-bypass

Note

IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs
with strong mutual authentication between clients and authentication servers, which can provide
dynamic per-user, per session wireless encryption privacy (WEP) keys, removing administrative burdens
and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP
(Lightweight Extensible Authentication Protocol) implements mutual authentication between a wireless
client on one side of a connection and a RADIUS server on the other side. The credentials used for
authentication, including a password, are always encrypted before they are transmitted over the wireless
medium.

Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting
services.

This feature does not work as intended if you enable interactive hardware client authentication.

Caution

There might be security risks to your network in allowing any unauthenticated traffic to traverse the
tunnel.

The following example shows how to set LEAP Bypass for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# leap-bypass enable

Enabling Network Extension Mode

Network extension mode lets hardware clients present a single, routable network to the remote private
network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the
hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA