67-22
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
hostname(config-tunnel-general)# accounting-server-group comptroller
hostname(config-tunnel-general)#
Step7 Optionally, specify the name of the default group policy. The default value is DfltGrpPolicy:
hostname(config-tunnel-general)# default-group-policy policyname
hostname(config-tunnel-general)#
The following example sets MyDfltGrpPolicy as the name of the default group policy:
hostname(config-tunnel-general)# default-group-policy MyDfltGrpPolicy
hostname(config-tunnel-general)#
Step8 Optionally, specify the name or IP address of the DHCP server (up to 10 servers), and the names of the
DHCP address pools (up to 6 pools). Separate the list items with spaces. The defaults are no DHCP
server and no address pool.
hostname(config-tunnel-general)# dhcp-server server1 [...server10]
hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1
[...address_pool6]
hostname(config-tunnel-general)#
Note The interface name must be enclosed in parentheses.
You configure address pools with the ip local pool command in global configuration mode. See
Chapter 68, “Configuring IP Addresses for VPNs” for information about configuring address pools.
Step9 Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password
management.
Note If you are using an LDAP directory server for authentication, password management is supported with
the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server)
and the Microsoft Active Directory.
Sun—The DN configured on the ASA to access a Sun directory server must be able to access the
default password policy on that server. We recommend using the directory administrator, or a user
with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the
default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
See the “Configuring Authorization with LDAP for VPN” section on page35-16 for more information.
This feature, which is enabled by default, warns a user when the current password is about to expire. The
default is to begin warning the user 14 days before expiration:
hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration
to begin warning the user about the pending expiration:
hostname(config-tunnel-general)# password-management [password-expire in days n]
hostname(config-tunnel-general)#