34-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 34 Configuring Easy VPN Services on the ASA 5505
Guidelines for Configuring the Easy VPN Server
Authentication Options
The ASA 5505 supports the following authentication mechanisms, which it obtains from the group
policy stored on the Easy VPN Server. The following list identifies the authentication options supported
by the Easy VPN hardware client, however, you must configure them on the Easy VPN server:
• Secure unit authentication (SUA, also called Interactive unit authentication)
Ignores the vpnclient username Xauth command (described in “Configuring Automatic Xauth
Authentication” section on page 34-4) and requires the user to authenticate the ASA 5505 by
entering a password. By default, SUA is disabled. You can use the secure-unit-authentication
enable command in group-policy configuration mode to enable SUA. See Configuring Secure Unit
Authentication, page 30-44.
• Individual user authentication
Requires users behind the ASA 5505 to authenticate before granting them access to the enterprise
VPN network. By default, IUA is disabled.
Caution Do not use IUA if the client might have a NAT device.
You can use the user-authentication enable command in group-policy configuration mode to
enable IUA. See Configuring User Authentication, page 30-44.
Caution Do not configure IUA on a Cisco ASA 5505 configured as an Easy VPN server if a NAT device
is operating between the server and the Easy VPN hardware client.
Use the user-authentication-idle-timeout command to set or remove the idle timeout period after
which the Easy VPN Server terminates the client’s access. See Configuring an Idle Timeout, page
30-45.
• Authentication by HTTP redirection
The Cisco Easy VPN server intercepts HTTP traffic and redirects the user to a login page if one of
the following is true:
–
SUA or the username and password are not configured on the Easy VPN hardware client.
–
IAU is enabled.
HTTP redirection is automatic and does not require configuration on the Easy VPN Server.
• Preshared keys, digital certificates, tokens and no authentication
The ASA 5505 supports preshared keys, token-based (e.g., SDI one-time passwords), and “no user
authentication” for user authentication. NOTE: The Cisco Easy VPN server can use the digital
certificate as part of user authorization. See Chapter 27, “Configuring IPSec and ISAKMP” for
instructions.
To Next Page
Loading...
Need help?
General