Cisco Systems VPN 3000 Mode Configuration, Mode Configuration Parameters, Banner

Configuration | User Management | Base Group

12-9

VPN 3000 Concentrator Series User Guide

Authentication

Click the drop-down menu button and select the user authentication method (authentication server type)

to use with remote-access IPSec clients. This selection identifies the authentication method, not the

specific server. Configure authentication servers on the Configuration | System | Servers | Authentication

screens.

Selecting any authentication method (other than None) enables ISAKMP Extended Authentication, also

known as XAuth.

None = No IPSec user authentication method. If you checked L2TP over IPSec under Tunneling

Protocols, use this selection.

RADIUS = Authenticate users via external Remote Authentication Dial-In User Service.

NT Domain = Authenticate users via external Windows NT D omain system.

SDI = Authenticate users via external RSA Security Inc. SecureID system.

Internal = Authenticate users via the internal VPN Concentrator authentication server. This is the

default selection.

Mode Configuration

Check the box to use Mode Configuration with IPSec clients (also known as the ISAKMP Configuration

Method or Configuration Transaction). This option exchanges configuration parameters with the cli ent

while negotiating Security Associations. If you check this box, configure th e desired Mode Configuration

Parameters below; otherwise, ignore them. The box is checked by default.

To use split tunneling, you must check this box.

If you checked L2TP over IPSec under Tunneling Protocols, do not check this box.

Notes: IPSec uses Mode Configuration to pass all configuration parameters to a client: IP address, DNS and

WINS addresses, etc. You must check this box to use Mode Configuration. Othe rwise, those

parameters—even if configured with entries—are not passed to the client.

The Cisco VPN 3000 Client (IPSec client) supports Mode Configuration, but other IPSec clients may

not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The

Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN

Concentrator.) Determine compatibility before using this option with other vendors’ clients.

Mode Configuration Parameters

These base-group parameters apply to IPSec clients using Mode Configuration. If you check Mode

Configuration above, configure these parameters as desired; otherwise, ignore them.

Banner

Enter the banner, or text string, that remote-access IPSec clients see when they log in. The maximum

length is 128 characters.