69-104
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
Mapping Certificates to IPsec or SSL VPN Connection Profiles
–
Enable notification upon password expiration to allow user to change password—Checking this
check box makes the following two parameters available. If you do not also check the Enable
notification prior to expiration check box, the user receives notification only after the password
has expired.
–
Enable notification prior to expiration—When you check this option, the ASA notifies the
remote user at login that the current password is about to expire or has expired, then offers the
user the opportunity to change the password. If the current password has not yet expired, the
user can still log in using that password. This parameter is valid for AAA servers that support
such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The ASA
ignores this command if RADIUS or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, it
enables the notification. If you check this check box, you must also specify the number of days.
–
Notify...days prior to expiration—Specifies the number of days before the current password
expires to notify the user of the pending expiration. The range is 1 through 180 days.
Modes
The following table shows the modes in which this feature is available:
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec
The Add or Edit Tunnel Group dialog box for IPsec for Site-to-Site access, IPsec dialog box, lets you
configure or edit IPsec Site-to-Site-specific tunnel group parameters.
Fields
• Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is
display-only.
• Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of
this field depend on your selection on the previous dialog box.
• Pre-shared Key—Lets you specify the value of the pre-shared key for the tunnel group. The
maximum length of the pre-shared key is 128 characters.
• Trustpoint Name—Selects a trustpoint name, if any trustpoints are configured. A trustpoint is a
representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific
configuration parameters, and an association with one enrolled identity certificate.
• Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid.
–
none—Specifies no authentication mode.
–
xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability
of authenticating a user within IKE using TACACS+ or RADIUS.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——