Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Internal Group Policy IPsec Client Attributes

69-107

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Mapping Certificates to IPsec or SSL VPN Connection Profiles

–

Enable notification prior to expiration—When you check this option, the ASA notifies the

remote user at login that the current password is about to expire or has expired, then offers the

user the opportunity to change the password. If the current password has not yet expired, the

user can still log in using that password. This parameter is valid for AAA servers that support

such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The ASA

ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, it

enables the notification. If you check this check box, you must also specify the number of days.

–

Notify...days prior to expiration—Specifies the number of days before the current password

expires to notify the user of the pending expiration. The range is 1 through 180 days.

Modes

The following table shows the modes in which this feature is available:

Configuring Internal Group Policy IPsec Client Attributes

Use this dialog box to specify whether to strip the realm and group from the username before passing

them to the AAA server, and to specify password management options.

Fields

•Strip the realm from username before passing it on to the AAA server—Enables or disables stripping

the realm (administrative domain) from the username before passing the username on to the AAA

server. Check the Strip Realm check box to remove the realm qualifier of the username during

authentication. You can append the realm name to the username for AAA: authorization,

authentication and accounting. The only valid delimiter for a realm is the @ character. The format

is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box,

authentication is based on the username alone. Otherwise, authentication is based on the full

username@realm string. You must check this box if your server is unable to parse delimiters.

Note You can append both the realm and the group to a username, in which case the ASA uses

parameters configured for the group and for the realm for AAA functions. The format for this

option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup.

If you choose this option, you must use either the # or ! character for the group delimiter because

the ASA cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize

the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are

in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.

The ASA does not include support for the user@grouppolicy, as the VPN 3000 Concentrator did.

Only the L2TP/IPsec client supports the tunnel switching via user@tunnelgroup.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Configuring Internal Group Policy IPsec Client Attributes