|
General configuration parameters include VPN 3000 Concentrator environment items: system identification, time, and date.
This section of the Manager lets you configure general VPN Concentrator parameters.
This screen lets you configure system identification parameters that are stored in the standard MIB-II system object. Network management systems using SNMP can retrieve this object and identify the system. Configuring this information is optional.
Enter a system name that uniquely identifies this VPN Concentrator on your network, for example: VPN01. The maximum name length is 255 characters.
Enter the name of the contact person who is responsible for this VPN Concentrator. The maximum name length is 255 characters.
Enter the location of this VPN Concentrator. The maximum length is 255 characters.
To apply your system identification settings and include them in the active configuration, click Apply. The Manager returns to the Configuration | System | General screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | System | General screen.
This screen lets you set the time and date on the VPN Concentrator. Setting the correct time is very important so that logging and accounting information is accurate.
The screen shows the current date and time on the VPN Concentrator at the time the screen displays. You can refresh this by redisplaying the screen.
The values in the New Time fields are the time and date on the browser PC at the time the screen displays. Any entries you make apply to the VPN Concentrator, however.
In the appropriate fields, make any changes. The fields are, in order: Hour : Minute : Second Month / Day / Year Time Zone. Click the drop-down menu buttons to select Month and Time Zone.
The time is military time; that is, it is based on a twenty-four hour clock. (For example, 1:00 PM is 13:00:00.)
The time zone selections are offset in hours relative to GMT (Greenwich Mean Time), which is the basis for Internet time synchronization.
Enter the Year as a four-digit number.
To enable DST support, check the Enable DST Support check box. During DST (Daylight-Saving Time), clocks are set one hour ahead of standard time. Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time. If your system is in a time zone that uses DST, you must enable DST support.
To apply your time and date settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | General screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | System | General screen.
This screen lets you limit the number of simultaneous active sessions to fewer sessions than the VPN Concentrator could potentially support. The maximum number of sessions supported is determined by the hardware and is model-dependent.
Table 11-1 Maximum Sessions for Each VPN Concentrator Model
|
The maximum number of concurrently active sessions permitted on this VPN Concentrator. Enter a value within the range indicated.
A value of zero (0) in this field means that there is no artificial limit below the maximum number of sessions supported by the hardware. In other words, for a VPN Concentrator 3030, a 0 in this field means that the maximum number of sessions is 1500.
To apply your session settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | General screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | System | General screen.
By default, the VPN Concentrator authenticates both software clients and VPN 3002 hardware clients on the basis of their username. For clients to connect, you enter a string of characters (in a username field) as their identification. The VPN Concentrator considers the entire string to be a username and validates users on the basis of the entire string.
The group lookup feature allows clients to be authenticated on the basis of a group in addition to their username. If this feature is enabled, the VPN Concentrator checks the identification string to see if it contains the configured group delimiter. If the string contains the configured group delimiter, the VPN Concentrator interprets it as: username<delimiter>groupname. It interprets the characters to the left of the delimiter as the username and the characters to the right of the delimiter as the group name. It then authenticates the user on the basis of the tunnel group and applies the parameters of the specified group to the user. For example, if the user enters the string "JaneDoe#Cisco", the VPN Concentrator interprets JaneDoe as the user, # as the delimiter, and Cisco as the group. It authenticates the user "JaneDoe" on the basis of the tunnel group and applies the Cisco group parameters.
If the string does not contain a group delimiter, the VPN Concentrator considers the entire string to be the username. It validates users on the basis of the username alone, and applies the parameters of the tunnel group to the user.
Check the Enable Group Lookup check box to enable user authentication on the basis of both username and group name. Uncheck the check box to disable group lookup.
If you configured Enable Group Lookup, click the Group Delimiter drop-down menu and choose one of the following characters to separate the username from the group name in the authentication string: @, #, or !. The default delimiter is: @.
Note If you are using the Group Lookup feature and Strip Realm, do not use the @ character for the group delimiter. See the section below, "Strip Realm and Group Lookup," for a full explanation of how the VPN Concentrator interprets delimiters for realms and groups. |
You can associate users with groups and realms in the following combinations.
When you append a group name to a username using a delimiter, the VPN Concentrator interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.
A realm is an administrative domain. You can append the realm name to the username for AAA purposes --authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com.
A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.
Note You can append both the realm and the group to a username, in which case the VPN Concentrator uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the Concentrator cannot interpret the @ as a group delimiter if it is also present as the realm delimiter. |
Group Lookup is configurable globally in the present screen, Configuration | System | General | Global Authentication Parameters. Strip Realm is configurable on a group basis in the General tab of the Configuration | User Management | Base Group/Groups screens. If you enable Strip Realm, the VPN Concentrator removes the realm from the username before sending a request to an AAA server.
You can use Strip Realm and Group Lookup simultaneously to have the VPN Concentrator ignore the realm and use the values of the group for AAA purposes.
Table 11-2 shows the credentials the VPN Concentrator uses for authentication according to how you configure a username, strip realm, and group lookup.
Table 11-2 Usernames with Groups and Realms
|
Note In addition to the realm and the group, the username may include a Windows domain. The domain is prepended to the username, and the valid delimiter is the \ character. The format is domain\username[@realm][#group], for example domain\JaneDoe. You would include a domain in corporate environments that have multiple Microsoft domains, and that require the domain for authentication. |
When you configure a VPN Client or a VPN 3002, you assign it to a group on the VPN Concentrator to which it connects. This is the tunnel group to which the client belongs. The attributes of the tunnel group determine how the client authenticates.
For purposes of authentication, you can associate users behind a VPN Concentrator or VPN 3002 with a group other than the tunnel group. You accomplish this by embedding a different group name within the username. To embed this second group name, you configure and use a delimiter, (@, #, or !) that associates the second group with the user. The format to use is username<delimiter>groupname, for example, UserA#bluegroup.
When you embed a group name within a username:
Note The VPN 3002 always gets settings for interactive hardware client authentication from the tunnel group, not the embedded group. |
Table 11-3 summarizes how UserA, UserB, and UserC connect to the central site through a VPN Concentrator or VPN 3002.
Table 11-3 Example: How Authentication Servers Work Using Embedded Groups
Posted: Wed Jul 16 12:41:36 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.