Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

69-40

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

ACL Manager

•Require Individual User Authentication—Enables or disables the requirement for individual user

authentication for users behind ASA 5505 in client mode or the VPN 3002 hardware client in the

group. To display a banner to hardware clients in a group, individual user authentication must be

enabled. This parameter is disabled by default.

Individual user authentication protects the central site from access by unauthorized persons on the

private network of the hardware client. When you enable individual user authentication, each user

that connects through a hardware client must open a web browser and manually enter a valid

username and password to access the network behind the ASA, even though the tunnel already

exists.

Note You cannot use the command-line interface to log in if user authentication is enabled. You must

use a browser.

If you have a default home page on the remote network behind the ASA, or if you direct the browser

to a website on the remote network behind the ASA, the hardware client directs the browser to the

proper pages for user login. When you successfully log in, the browser displays the page you

originally entered.

If you try to access resources on the network behind the ASA that are not web-based, for example,

e-mail, the connection fails until you authenticate using a browser.

To authenticate, you must enter the IP address for the private interface of the hardware client in the

browser Location or Address field. The browser then displays the login dialog box for the hardware

client. To authenticate, click Connect/Login Status.

One user can log in for a maximum of four sessions simultaneously. Individual users authenticate

according to the order of authentication servers configured for a group.

•User Authentication Idle Timeout—Configures a user timeout period. The security appliance

terminates the connection if it does not receive user traffic during this period. You can specify that

the timeout period is a specific number of minutes or unlimited.

–

Unlimited—Specifies that the connection never times out. This option prevents inheriting a

value from a default or specified group policy.

–

Minutes—Specifies the timeout period in minutes. Use an integer between 1 and 35791394. The

default value is Unlimited.

Note that the idle timeout indicated in response to the show uauth command is always the idle

timeout value of the user who authenticated the tunnel on the Cisco Easy VPN remote device.

•Cisco IP Phone Bypass—Lets Cisco IP Phones bypass the interactive individual user authentication

processes. If enabled, interactive hardware client authentication remains in effect. Cisco IP Phone

Bypass is disabled by default.

Note You must configure the ASA 5505 in client mode or the VPN 3002 hardware client to use

network extension mode for IP phone connections.

•LEAP Bypass—Lets LEAP packets from Cisco wireless devices bypass the individual user

authentication processes (if enabled). LEAP Bypass lets LEAP packets from devices behind a

hardware client travel across a VPN tunnel prior to individual user authentication. This lets

workstations using Cisco wireless access point devices establish LEAP authentication. Then they

authenticate again per individual user authentication (if enabled). LEAP Bypass is disabled by

default.

Cisco Systems - page 1542

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505