Filter
Top Products
35-60
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
Mapping Certificates to IPSec or SSL VPN Connection Profiles
Fields
• The radio buttons specify whether to check certificates for revocation. The values of these buttons
are as follows:
–
Do not check certificates for revocation
–
Check Certificates for revocation
• Revocation Methods area—Lets you specify the method–CRL or OCSP–to use for revocation
checking, a nd the order in which to use these methods. You can choose either or both methods.
Add/Edit Remote Access Connections > Advanced > General
Use this window to specify whether to strip the realm and group from the username before passing them
to the AAA server, and to specify password management parameters.
Fields
• Strip the realm from username before passing it on to the AAA server—Enables or disables stripping
the realm (administrative domain) from the username before passing the username on to the AAA
server. Check the Strip Realm check box to remove the realm qualifier of the username during
authentication. You can append the realm name to the username for AAA: authorization,
authentication and accounting. The only valid delimiter for a realm is the @ character. The format
is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box,
authentication is based on the username alone. Otherwise, authentication is based on the full
username@realm string. You must check this box if your server is unable to parse delimiters.
Note You can append both the realm and the group to a username, in which case the security appliance
uses parameters configured for the group and for the realm for AAA functions. The format for
this option is username[@realm]]<#or!>group], for example,
JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or !
character for the group delimiter because the security appliance cannot interpret the @ as a
group delimiter if it is also present as the realm delimiter.
A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize
the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are
in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.
• Strip the group from the username before passing it on to the AAA server—Enables or disables
stripping the group name from the username before passing the username on to the AAA server.
Check Strip Group to remove the group name from the username during authentication. This option
is meaningful only when you have also checked the Enable Group Lookup box. When you append
a group name to a username using a delimiter, and enable Group Lookup, the security appliance
interprets all characters to the left of the delimiter as the username, and those to the right as the group
name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for
Group Lookup. You append the group to the username in the format username<delimiter>group,
the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and
JaneDoe!VPNGroup.
• Password Management—Lets you configure parameters relevant to overriding an account-disabled
indication from a AAA server and to notifying users about password expiration.
–
Override account-disabled indication from AAA server—Overrides an account-disabled
indication from a AAA server.