Filter
Top Products
35-32
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
ACL Manager
If you have a default home page on the remote network behind the security appliance, or if you direct
the browser to a website on the remote network behind the security appliance, the hardware client
directs the browser to the proper pages for user login. When you successfully log in, the browser
displays the page you originally entered.
If you try to access resources on the network behind the security appliance that are not web-based,
for example, e-mail, the connection fails until you authenticate using a browser.
To authenticate, you must enter the IP address for the private interface of the hardware client in the
browser Location or Address field. The browser then displays the login screen for the hardware
client. To authenticate, click the Connect/Login Status button.
One user can log in for a maximum of four sessions simultaneously. Individual users authenticate
according to the order of authentication servers configured for a group.
• User Authentication Idle Timeout—Configures a user timeout period. The security appliance
terminates the connection if it does not receive user traffic during this period. You can specify that
the timeout period is a specific number of minutes or unlimited.
–
Unlimited—Specifies that the connection never times out. This option prevents inheriting a
value from a default or specified group policy.
–
Minutes—Specifies the timeout period in minutes. Use an integer between 1 and 35791394. The
default value is Unlimited.
Note that the idle timeout indicated in response to the show uauth command is always the idle
timeout value of the user who authenticated the tunnel on the Cisco Easy VPN remote device.
• Cisco IP Phone Bypass—Lets Cisco IP phones bypass the interactive individual user authentication
processes. If enabled, interactive hardware client authentication remains in effect. Cisco IP Phone
Bypass is disabled by default.
Note You must configure the ASA 5505 in client mode or the VPN 3002 hardware client to use
network extension mode for IP phone connections.
• LEAP Bypass—Lets LEAP packets from Cisco wireless devices bypass the individual user
authentication processes (if enabled). LEAP Bypass lets LEAP packets from devices behind a
hardware client travel across a VPN tunnel prior to individual user authentication. This lets
workstations using Cisco wireless access point devices establish LEAP authentication. Then they
authenticate again per individual user authentication (if enabled). LEAP Bypass is disabled by
default.
Note This feature does not work as intended if you enable interactive hardware client authentication.
IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless
LANs with strong mutual authentication between clients and authentication servers, which can
provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing
administrative burdens and security issues that are present with static WEP keys.
Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP
implements mutual authentication between a wireless client on one side of a connection and a
RADIUS server on the other side. The credentials used for authentication, including a password, are
always encrypted before they are transmitted over the wireless medium.