30-59
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
Kerberos authentication requires that the clock between the hosts to be synchronized with a
maximum drift of 5 minutes (this is the default setting). This restriction is applicable to the clocks
on the ASA, the domain controller, and the application servers. Configuring the same NTP server
for all servers should address the requirement.
Related Topics
Configuring Other SSL VPN Settings (ASA), page 30-41
Understanding AAA Server and Server Group Objects, page 6-24
Step 1 Do one of the following:
(Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other
Settings from the Policy selector.
(Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one.
Step 2 On the Other Settings page, click the Microsoft KCD Server tab.
Step 3 Select Configure KCD and configure the following options:
KCD Server—The AAA server group object that identifies the Microsoft KCD server (the domain
controller) to use for Kerberos Constrained Delegation. Enter the name of the object or click Select
to select it from a list or to create a new object. The object must use a Kerberos AAA server policy
object to identify the domain controller.
Username, Password, Confirm—A user account that the ASA can use to join the Active Directory
domain.
For the ASA to use Kerberos protocol transition and constrained delegation, and obtain service
tickets on behalf of the remote access users, the account used by the ASA to authenticate with the
domain controller must be configured in Active Directory and configured to allow Kerberos
constrained delegation to any authentication protocol. In addition, the user account must not be
marked as a sensitive account that cannot be delegated. For more information about Active Directory
configuration requirements, see Understanding Kerberos Constrained Delegation (KCD) for SSL
VPN (ASA), page 30-56.
Configuring AnyConnect Custom Attributes (ASA)
AnyConnect custom attributes allow for a more expeditious delivery and deployment of new endpoint
features by giving the ASA the ability to generically support the addition of new client controls without
the need for an ASA software upgrade.
In the AnyConnect Custom Attribute tab of the SSL VPN Other Settings page, you can view configured
AnyConnect custom attributes, add new attributes, and modify or delete existing attributes.
Related Topics
Understanding and Managing SSL VPN Support Files, page 29-5
Configuring Other SSL VPN Settings (ASA), page 30-41
Step 1 Do one of the following:
(Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other
Settings from the Policy selector.