67-36
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
The following example enters aaa-server-host mode and changes the text for the RADIUS reply message
new-pin-sup:
hostname(config)# aaa-server radius_sales host 10.10.10.1
hostname(config-aaa-server-host)# proxy-auth_map sdi new-pin-sup “This is your new PIN”
Group Policies
This section describes group policies and how to configure them. It includes the following sections:
Default Group Policy, page67-37
Configuring Group Policies, page67-39
A group policy is a set of user-oriented attribute/value pairs for IPsec connections that are stored either
internally (locally) on the device or externally on a RADIUS server. The connection profile uses a group
policy that sets terms for user connections after the tunnel is established. Group policies let you apply
whole sets of attributes to a user or a group of users, rather than having to specify each attribute
individually for each user.
Enter the group-policy commands in global configuration mode to assign a group policy to users or to
modify a group policy for specific users.
The ASA includes a default group policy. In addition to the default group policy, which you can modify
but not delete, you can create one or more group policies specific to your environment.
You can configure internal and external group policies. Internal groups are configured on the ASA’s
internal database. External groups are configured on an external authentication server, such as RADIUS.
Group policies include the following attributes:
Identity
Server definitions
Client firewall settings
Tunneling protocols
IPsec settings
new-pin-meth Do you want to enter your
own pin
Requests from the user which new PIN method to use to
create a new PIN.
new-pin-req Enter your new
Alpha-Numerical PIN
Indicates a user-generated PIN and requests that the user
enter the PIN.
new-pin-reenter Reenter PIN: Used internally by the ASA for user-supplied PIN
confirmation. The client confirms the PIN without
prompting the user.
new-pin-sys-ok New PIN Accepted Indicates the user-supplied PIN was accepted.
next-ccode-and-
reauth
new PIN with the next
card code
Follows a PIN operation and indicates the user must wait
for the next tokencode and to enter both the new PIN and
next tokencode to authenticate.
ready-for-sys-
pin
ACCEPT A SYSTEM
GENERATED PIN
Used internally by the ASA to indicate the user is ready
for the system-generated PIN.
Message Code
Default RADIUS Reply
Message Text Function