Filter
Top Products
35-37
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
Configuring SSL VPN Connections
Lookup. You append the group to the username in the format username<delimiter>group, the
possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and
JaneDoe!VPNGroup.
• Password Management—Lets you configure parameters relevant to overriding an account-disabled
indication from a AAA server and to notifying users about password expiration.
The security appliance supports password management for the RADIUS and LDAP protocols. It
supports the “password-expire-in-days” option only for LDAP. This parameter is valid for AAA
servers that support such notification. The security appliance ignores this command if RADIUS or
LDAP authentication has not been configured.
You can configure password management for IPSec remote access and SSL VPN tunnel-groups.
Note Some RADIUS servers that support MSCHAP currently do not support MSCHAPv2. This
feature requires MSCHAPv2, so please check with your vendor.
The security appliance, releases 7.1 and later, generally supports password management for the
following connection types when authenticating with LDAP or with any RADIUS configuration that
supports MS-CHAPv2:
–
AnyConnect VPN Client
–
IPSec VPN Client
–
Clientless SSL VPN
Password management is not supported for any of these connection types for Kerberos/Active
Directory (Windows password) or NT 4.0 Domain. The RADIUS server (for example, Cisco ACS)
could proxy the authentication request to another authentication server. However, from the security
appliance perspective, it is talking only to a RADIUS server.
Note For LDAP, the method to change a password is proprietary for the different LDAP servers
on the market. Currently, the security appliance implements the proprietary password
management logic only for Microsoft Active Directory and Sun LDAP servers.
Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to
do password management for LDAP. By default, LDAP uses port 636.
–
Override account-disabled indication from AAA server—Overrides an account-disabled
indication from a AAA server.
Note Allowing override account-disabled is a potential security risk.
–
Enable notification upon password expiration to allow user to change password—Checking this
attribute makes the following two parameters available. You can select either to notify the user
at login a specific number of days before the password expires or to notify the user only on the
day that the password expires. The default is to notify the user 14 days prior to password
expiration and every day thereafter until the user changes the password. The range is 1 through
180 days.
In either case, and, if the password expires without being changed, the security appliance offers
the user the opportunity to change the password. If the current password has not expired, the
user can still log in using that password.