67-28
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
hostname(config-username-webvpn)# customization value salesgui
hostname(config-username-webvpn)# exit
hostname(config-username)# exit
hostname#
Step3 In global configuration mode, create a tunnel-group for clientless SSL VPN sessions named sales:
hostname# tunnel-group sales type webvpn
hostname(config-tunnel-webvpn)#
Step4 Specify that you want to use the salesgui customization for this connection profile:
hostname# tunnel-group sales webvpn-attributes
hostname(config-tunnel-webvpn)# customization salesgui
Step5 Set the group URL to the address that the user enters into the browser to log in to the ASA; for example,
if the ASA has the IP address 192.168.3.3, set the group URL to https://192.168.3.3:
hostname(config-tunnel-webvpn)# group-url https://192.168.3.3.
hostname(config-tunnel-webvpn)#
If a port number is required for a successful login, include the port number, preceded by a colon. The
ASA maps this URL to the sales connection profile and applies the salesgui customization profile to the
login screen that the user sees upon logging in to https://192.168.3.3.
Configuring Microsoft Active Directory Settings for Password Management
Note If you are using an LDAP directory server for authentication, password management is supported with
the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server)
and the Microsoft Active Directory.
Sun—The DN configured on the ASA to access a Sun directory server must be able to access the
default password policy on that server. We recommend using the directory administrator, or a user
with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the
default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
See the “Configuring Authorization with LDAP for VPN” section on page35-16 for more information.
To use password management with Microsoft Active Directory, you must set certain Active Directory
parameters as well as configuring password management on the ASA. This section describes the Active
Directory settings associated with various password management actions. These descriptions assume
that you have also enabled password management on the ASA and configured the corresponding
password management attributes. The specific steps in the following sections refer to Active Directory
terminology under Windows 2000.
Using Active Directory to Force the User to Change Password at Next Logon, page 67-29.
Using Active Directory to Specify Maximum Password Age, page67-30.
Using Active Directory to Override an Account Disabled AAA Indicator, page67-31
Using Active Directory to Enforce Password Complexity, page67-33.