Cisco Systems ASA5515K9, ASA 5500 Restricting Remote User Access, Enabling Password Storage for Software Client Users

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Configuring User Attributes

The parameter values for this command are as follows:

•IPsec—Negotiates an IPsec tunnel between two peers (a remote access client or another secure

gateway). Creates security associations that govern authentication, encryption, encapsulation, and

key management.

•webvpn—Provides clientless SSL VPN access to remote users via an HTTPS-enabled web browser,

and does not require a client

Enter this command to configure one or more tunneling modes. You must configure at least one tunneling

mode for users to connect over a VPN tunnel.

The following example shows how to configure clientless SSL VPN and IPsec tunneling modes for the

user named anyuser:

hostname(config)# username anyuser attributes

hostname(config-username)# vpn-tunnel-protocol webvpn

hostname(config-username)# vpn-tunnel-protocol IPsec

hostname(config-username)

Restricting Remote User Access

Configure the group-lock attribute with the value keyword to restrict remote users to access only

through the specified, preexisting connection profile. Group-lock restricts users by checking whether the

group configured in the VPN client is the same as the connection profile to which the user is assigned.

If it is not, the ASA prevents the user from connecting. If you do not configure group-lock, the ASA

authenticates users without regard to the assigned group.

To remove the group-lock attribute from the running configuration, enter the no form of this command.

This option allows inheritance of a value from the group policy. To disable group-lock, and to prevent

inheriting a group-lock value from a default or specified group policy, enter the group-lock command

with the none keyword.

hostname(config-username)# group-lock {value tunnel-grp-name | none}

hostname(config-username)# no group-lock

hostname(config-username)

The following example shows how to set group lock for the user named anyuser:

hostname(config)# username anyuser attributes

hostname(config-username)# group-lock value tunnel-group-name

hostname(config-username)

Enabling Password Storage for Software Client Users

Specify whether to let users store their login passwords on the client system. Password storage is

disabled by default. Enable password storage only on systems that you know to be in secure sites. To

disable password storage, enter the password-storage command with the disable keyword. To remove

the password-storage attribute from the running configuration, enter the no form of this command. This

enables inheritance of a value for password-storage from the group policy.

hostname(config-username)# password-storage {enable | disable}

hostname(config-username)# no password-storage

hostname(config-username)

This command has no bearing on interactive hardware client authentication or individual user

authentication for hardware clients.

The following example shows how to enable password storage for the user named anyuser:

Contents