69-59
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter69 General VPN Setup
Configuring AnyConnect VPN Connections
Configuring Secondary Authentication Attributes for an SSL VPN Connection Profile
The Secondary Authentication dialog box lets you configure secondary or “double” authentication for
this connection profile. With double authentication enabled, the end user must present two sets of valid
authentication credentials in order to log on. You can use secondary authentication in conjunction with
pre-filling the username from a certificate. The fields in this dialog box are similar to those you configure
for primary authentication, but these fields relate only to secondary authentication.
When double authentication is enabled, these attributes select one or more fields in a certificate to use
as the username. Configuring the secondary username from certificate attribute forces the security
appliance to use the specified certificate field as the second username for the second username/password
authentication.
Note If you also specify the secondary authentication server group, along with the secondary username from
certificate, only the primary username is used for authentication.
Fields
Secondary Authorization Server Group—Specifies an authorization server group from which to
extract secondary credentials.
Server Group—Select an authorization server group to use as the secondary server AAA group.
The default is none. The secondary server group cannot be an SDI server group.
Manage—Opens the Configure AAA Server Groups dialog box.
Use LOCAL if Server Group fails—Specifies to fall back to the LOCAL database if the
specified server group fails.
Use primary username—Specifies that the login dialog must request only one username.
Attributes Server—Select whether this is the primary or secondary attributes server.
Note If you also specify an authorization server for this connection profile, the authorization
server settings take precedence—the ASA ignores this secondary authentication server.
Session Username Server—Select whether this is the primary or secondary session username
server.
Interface-Specific Authorization Server Groups—Manages the assignment of authorization server
groups to specific interfaces.
Add or Edit—Opens the Assign Authentication Server Group to Interface dialog box, in which
you can specify the interface and server group, and specify whether to allow fallback to the
LOCAL database if the selected server group fails. The Manage button on this dialog box opens
the Configure AAA Server Groups dialog box. Your selections appear in the Interface/Server
Group table.
Delete—Removes the selected server group from the table. There is no confirmation or undo.
Username Mapping from Certificate—Specify the fields in a digital certificate from which to extract
the username.