Cisco Systems OL-5532-02 manual Adding AAA Server Devices to Your Repository

Page 2

Chapter 4 Remote Access VPN Services

Adding AAA Server Devices to Your Repository

Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each device as a CPE.

CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one public and one private interface on each device.

For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Integrated VPN Management Suite Infrastructure Guide, 3.2.

In the Remote Access VPN policy, the network administrator performs the following tasks:

Configures the encryption policy (which contains IKE and IPsec proposal parameters) that defines the network layer encryption and authentication control.

Specifies the IKE XAuth parameters for user authentication.

Sets the Mode Configuration parameters for policy push and features such as dynamically assigned client IP addresses.

Defines the remote access user group. (Because each remote access policy defines a user group, you can use multiple remote access policies in the same service request. This enables you to configure multiple user groups on the same CPE device.)

Defines remote access parameters.

The group policy information is stored in a profile that can be used locally in the VPN device configuration. When the user or group information is stored on AAA servers, you must also configure access to the AAA servers and allow the VPN device to send requests to the AAA servers.

Once created, the remote access policies can also be applied to multiple service requests.

To define an remote access VPN service, use the following sections:

Adding AAA Server Devices to Your Repository, page 4-2

Creating Encryption Policies, page 4-5

Creating Remote Access VPN Policies, page 4-5

Creating Remote Access VPN Service Requests, page 4-25

Adding AAA Server Devices to Your Repository

A AAA server (pronounced “Triple A” server) is required when the user authentication method is external or the group policy information is stored on an external AAA server. If user profiles or group attributes are to be obtained from a AAA Server (as opposed to having them stored on the CPE device itself), then a AAA Server entry must be created and added to your ISC repository.

To create a AAA server entry in ISC, perform the following steps:

Step 1 Click Home > Service Inventory > Inventory and Connection Manager > AAA Servers. The AAA Servers page appears as shown in Figure 4-2.

Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2

4-2

OL-5532-02

 

 

Page 1 Page 3
Image 2
Page 1 Page 3
Contents Remote Access VPN Services Adding AAA Server Devices to Your Repository AAA Servers Owner Select button TimeoutName IP AddressCreating Encryption Policies Click Remote Access VPN Policy PoliciesRemote Access VPN Policy General Editor XAuth Timeout Group PasswordConfirm Password Use ModeNAT Traversal AuthenticationDefault Domain IKE NAT KeepaliveRemote Access VPN Policy Address Pools Defining Address PoolsNet Mask Starting AddressEnding Address 11 Remote Access VPN Policy Split Tunneling Network List Defining Split Tunneling Networks OptionalGenerate Split TunnelingPolicy CreateDefining the Remote Access User List Optional 14 The Everything Option for Split TunnelingPassword User IDDefining Cisco IOS Software-Specific Parameters SA Idle TimeoutEnabled SA Idle Timeout Injection Defining PIX Firewall-Specific ParametersReverse Route Group LockMax Connect Time Idle TimeoutDefining VPN 3000-Specific Parameters Sysopt ConnectionAuthentication on Logins Min PasswordOnly Passwords SimultaneousDefining the VPN 3000 Access Hours Start Time Defining the VPN 3000 L2TP ParametersControl End TimeRequired Use Client AddressL2TP Compression Require StatelessMSCHAPv2 SummaryMSCHAPv1 23 The Policies Page with Policy Status Displayed Creating Remote Access VPN Service Requests Description Network-basedIPsec AAA Servers Remote AccessPolicies CPEs29 CPEs Associated with Remote Access Service Dialog Box 31 Add/Remove Templates Dialog Box 32 The Template DataFile Chooser Action ActiveOL-5532-02
Top Page Image Contents