67-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Connection Profiles
General Connection Profile Connection Parameters
General parameters are common to all VPN connections. The general parameters include the following:
Connection profile name—You specify a connection-profile name when you add or edit a
connection profile. The following considerations apply:
For clients that use preshared keys to authenticate, the connection profile name is the same as
the group name that a client passes to the ASA.
Clients that use certificates to authenticate pass this name as part of the certificate, and the ASA
extracts the name from the certificate.
Connection type—Connection types include IKEv1 remote-access, IPsec Lan-to-LAN, and
Anyconnect (SSL/IKEv2). A connection profile can have only one connection type.
Authentication, Authorization, and Accounting servers—These parameters identify the server
groups or lists that the ASA uses for the following purposes:
Authenticating users
Obtaining information about services users are authorized to access
Storing accounting records
A server group can consist of one or more servers.
Default group policy for the connection—A group policy is a set of user-oriented attributes. The
default group policy is the group policy whose attributes the ASA uses as defaults when
authenticating or authorizing a tunnel user.
Client address assignment method—This method includes values for one or more DHCP servers or
address pools that the ASA assigns to clients.
Override account disabled—This parameter lets you override the “account-disabled” indicator
received from a AAA server.
Password management—This parameter lets you warn a user that the current password is due to
expire in a specified number of days (the default is 14 days), then offer the user the opportunity to
change the password.
Strip group and strip realm—These parameters direct the way the ASA processes the usernames it
receives. They apply only to usernames received in the form user@realm. A realm is an
administrative domain appended to a username with the @ delimiter (user@abc).
When you specify the strip-group command, the ASA selects the connection profile for user
connections by obtaining the group name from the username presented by the VPN client. The ASA
then sends only the user part of the username for authorization/authentication. Otherwise (if
disabled), the ASA sends the entire username, including the realm.
Strip-realm processing removes the realm from the username when sending the username to the
authentication or authorization server. If the command is enabled, the ASA sends only the user part
of the username authorization/authentication. Otherwise, the ASA sends the entire username.
Authorization required—This parameter lets you require authorization before a user can connect, or
turn off that requirement.
Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use
when performing authorization.