|
Configuring servers means identifying them to the VPN 3000 Concentrator so it can communicate with them correctly. These servers provide user authentication, authorization, and accounting functions, convert host names to IP addresses, assign client IP addresses, and synchronize the system with network time. The VPN Concentrator functions as a client of these servers.
This section of the Manager lets you configure the VPN Concentrator to communicate with servers for various functions.
You can also configure the VPN Concentrator internal authentication server here if you have not already done so during Quick Configuration.
This section lets you configure the VPN Concentrator internal server and external RADIUS, NT Domain, and SDI servers for authenticating users. To create and use a VPN, you must configure at least one authentication server type; there must be at least one method of authenticating users.
If you check Use Address from Authentication Server on the Configuration | System | Address Management | Assignment screen, you must configure an authentication server here.
You must also configure servers here that correspond to the settings for Authentication method on the IPSec Parameters tab on the Configuration | User Management | Base Group and Group screens. For example, if you specify RADIUS authentication under IPSec for the base group, you must configure at least one RADIUS authentication server here. And in this example, the first RADIUS server is considered the primary server, the second RADIUS server is backup, and so on; any other server types are ignored.
Before you configure an external server here, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers.
The VPN 3000 software CD-ROM includes a link that customers with CCO logins can use to access an evaluation copy of the CiscoSecure ACS RADIUS authentication server. The VPN 3000 software CD-ROM also has current VPN 3000 VSA registry files that let customers load new supported attributes on their ACS server, and provides instructions for using them.
After you have configured an external authentication server, you can also test it. Testing sends a username and password to the server to determine that the VPN Concentrator is communicating properly with it, and that the server properly authenticates valid users and rejects invalid users.
If you configure the internal authentication server, you can add users to the internal database by clicking the highlighted link, which takes you to the Configuration | User Management | Users screen. To configure the internal server, you just add at least one user or group to the internal database.
If you configure IPSec on the Quick Configuration | Protocols screen, the VPN Concentrator automatically configures the internal authentication server. The internal server is also the default selection on the Quick Configuration | Authentication screen.
You can configure and prioritize up to 10 authentication servers here. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative. After you configure authentication server(s), you assign them to groups and users; see "User Management," for information about configuring groups and users to use authentication servers.
The VPN Concentrator handles authentication differently for PPTP clients and the Cisco VPN Client.
The Authentication Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup.
To configure a new user-authentication server, click Add. The Manager opens the Configuration | System | Servers | Authentication | Add screen.
To modify a configured user authentication server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | Authentication | Modify screen. The internal server has no configurable parameters, therefore there is no Modify screen. If you select the internal server and click Modify, the Manager displays an error message.
To remove a configured user authentication server, select the server from the list and click Delete.
Note There is no confirmation or undo, except for the Internal Server (see the Configuration | System | Servers | Authentication | Delete screen). |
The Manager refreshes the screen and shows the remaining entries in the Authentication Servers list.
Note If you delete a server, users authenticated by that server will no longer be able to access the VPN unless another configured server can authenticate them. |
To change the priority order for configured servers, select the entry from the list and click Move [Up Arrow] or Move [Down Arrow]. The Manager refreshes the screen and shows the reordered Authentication Servers list.
To test a configured external user authentication server, select the server from the list and click Test. The Manager opens the Configuration | System | Servers | Authentication | Test screen. There is no need to test the internal server, and trying to do so returns an error message.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. Choices are:
Find your selected server type:
Configure these parameters for a RADIUS (Remote Authentication Dial-In User Service) authentication server.
Note Certain RADIUS servers can send large packets. The VPN Concentrator supports packets up to 4096 bytes. It ignores packets larger than that. |
Most RADIUS servers do not support MSCHAP Version 1 or 2 user authentication. If you plan to use a RADIUS server that does not support MSCHAP, you must configure the base group's PPTP Authentication Protocols to PAP and/or CHAP only. By doing this, you have no data encryption and possibly no password encryption.
CiscoSecure ACS for Windows Release 2.5 and higher supports MSCHAP V.1.
To use encryption with PPTP, your RADIUS server must support MSCHAP authentication and the return attribute MSCHAP-MPPE-Keys. Some examples of RADIUS servers that support MSCHAP-MPPE-Keys are:
Enter the IP address or host name of the RADIUS authentication server, for example: 192.168.12.34. The maximum number of characters is 32. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 1645.
Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812. |
Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.
Enter the RADIUS server secret (also called the shared secret), for example: C8z077f. The maximum field length is 64 characters. The field shows only asterisks.
Re-enter the RADIUS server secret to verify it. The field shows only asterisks.
To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
Configure these parameters for a Windows NT Domain authentication server.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated. |
Enter the IP address of the NT Domain authentication server, for example: 192.168.12.34. Use dotted decimal notation.
Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 139.
Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next NT Domain authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
Enter the NT Primary Domain Controller host name for this server, for example: PDC01. The maximum host name length is 16 characters. You must enter this name, and it must be the correct host name for the server for which you entered the IP address in Authentication Server Address; if it is incorrect, authentication will fail.
To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
Configure these parameters for an RSA Security Inc. SecurID authentication server.
VPN Concentrator software version 3.6 supports both version 5.0 and versions prior to SDI 5.0.
SDI versions prior to 5.0 use the concept of an SDI master and an SDI slave server which share a single node secret file (SECURID). On the VPN Concentrator you can configure one pre-5.0 SDI master server and one SDI slave server globally, and one SDI master and one SDI slave server per each group.
SDI version 5.0 uses the concepts of an SDI primary and SDI replica servers. A primary and its replicas share a single node secret file. On the VPN Concentrator you can configure one SDI 5.0 server globally, and one per each group.
A version 5.0 SDI server that you configure on the VPN Concentrator can be either the primary or any one of the replicas. See the section below, "SDI Primary and Replica Servers" for information about how the SDI agent selects servers to authenticate users.
You can have one SDI primary server, and up to 10 replicas; use the SDI documentation for configuration instructions. The primary and all the replicas can authenticate users. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended. SDI servers that you configure here apply globally. You can also configure SDI servers on a group basis (see Configuration| User Management | Groups, and click Add/Modify Auth Servers.
SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two VPN Concentrators using the same authentication servers simultaneously. After a successful username lock, the VPN Concentrator sends the passcode.
The VPN Concentrator obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The VPN Concentrator then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected.
Enter the IP address or host name of the SDI authentication server, for example: 192.168.12.34. The maximum host name length is 32 characters. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
Use the drop-down menu to select the SDI server version you are using, pre-5.0 or 5.0.
Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 5500.
Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum value is 1 second. The default value is 4 seconds. The maximum value is 30 seconds.
Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next SDI authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number is 10.
To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
Configure these parameters for a Kerberos/Active Directory server.
The VPN Concentrator supports RC4-HMAC and DES-MD5 encryption types.
Note The VPN Concentrator does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the VPN Concentrator. |
If you are configuring authentication to a Linux machine acting as a Kerberos server, check the available keys for the users you want to authenticate. The following key must be available: DES cbc mode with RSA-MD5, Version 5.
For example, if you are configuring authentication to a Red Hat Linux 7.3 server running Kerberos, check the available keys by completing the following steps:
Step 2 If "DES cbc mode with RSA-MD5, Version 5" is not available for that user, edit the file kdc.conf. Add or move "des-cbc-md5" selections to the beginning of the "supported_enctypes =" line:
Step 3 Save the file.
Step 4 Restart the krb5kdc, kadmin, and krb524 services.
Step 5 Change the password for the user to create the "DES cbc mode with RSA-MD5" key:
Now you should be able to authenticate that user to your Linux/Unix Kerberos 5 server.
Enter the IP address or hostname of the Kerberos/Active Directory authentication server, for example: 192.168.12.34. Use dotted decimal notation.
Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 88.
Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next Kerberos/Active Directory authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
Enter the realm name for this server, for example: USDOMAIN.ACME.COM. The maximum length is 64 characters.
The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows .NET. If the letters are not uppercase, authentication fails.
You must enter this name, and it must be the correct realm name for the server for which you entered the IP address in Authentication Server. If it is incorrect, authentication will fail.
To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
The VPN Concentrator internal authentication server lets you enter a maximum of 100 groups and users (combined) in its database. To do so, see the Configuration | User Management screens, or click the highlighted link on the Configuration | System | Servers | Authentication screen.
The internal server has no configurable parameters, therefore there is no Modify screen. If you select the internal server and click Modify on the Configuration | System | Servers | Authentication screen, the Manager displays an error message.
You can configure only one instance of the internal server.
To add the internal server to the list of configured user authentication servers, and to include the entry in the active configuration, click Add. The Manager returns to the Configuration | System | Servers | Authentication screen. The new server appears at the bottom of the Authentication Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entry, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
This screen asks you to confirm your decision to delete the internal authentication server. Deleting it prevents IPSec LAN-to-LAN connections, since they depend on internally configured groups for IPSec SA negotiations. Deleting it also prevents connections by all users that are configured in the internal user database.
Note We strongly recommend that you not delete the internal authentication server. |
To delete the internal authentication server, click Yes.
Note There is no undo. |
The Manager returns to the Configuration | System | Servers | Authentication screen and shows the remaining entries in the Authentication Servers list.
To not delete the internal authentication server, click No. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
This screen lets you test a configured external user authentication server to determine that:
To test connectivity and valid authentication, enter the username for a valid user who has been configured on the authentication server. The maximum username length is 32 characters. Entries are case-sensitive.
To test connectivity and authentication rejection, enter a username that is invalid on the authentication server.
Enter the password for the username. Maximum 32 characters, case-sensitive. The field displays only asterisks.
To send the username and password to the chosen authentication server, click OK. The authentication and response process takes a few seconds. The Manager displays a Success or Error screen.
To cancel the test and discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen.
If the VPN Concentrator communicates correctly with the authentication server, and the server correctly authenticates a valid user, the Manager displays a Success screen.
To return to the Configuration | System | Servers | Authentication | Test screen, click Continue. You can then test authentication for another username.
To return to the Configuration | System | Servers | Authentication screen, or any other screen, click the desired title in the left frame (Manager table of contents).
If the VPN Concentrator communicates correctly with the authentication server, and the server correctly rejects an invalid user, the Manager displays an Authentication Rejected Error screen.
To return to the Configuration | System | Servers | Authentication | Test screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
If the VPN Concentrator cannot communicate with the authentication server, the Manager displays an Authentication Error screen. Error messages include:
The server might be improperly configured or out of service, the network might be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.
To return to the Configuration | System | Servers | Authentication | Test screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
This screen lets you configure the VPN Concentrator to use external RADIUS or LDAP servers for authorizing users. User authorization provides the VPN Concentrator with information about each user's permissions and other attributes (such as the user's access hours, primary DNS, or banner). Using an external server for authorization gives you centralized control of user permissions. It is also helpful if you are managing large numbers of users.
Adding an external authorization server allows you to separate user authorization from user authentication, so that you can, for example, authenticate users with Kerberos and authorize them using LDAP. It also allows certificate users to receive permissions by means of LDAP or RADIUS without secondary authentication via XAUTH.
Note If you are already using RADIUS for authentication, you do not need to use RADIUS authorization on the same server. The RADIUS authentication server returns the user's permissions as part of the authentication process. |
You can configure user authorization on a global basis or a group basis. Configure it on a global basis if you want the server to be available to members of any groups for which authorization is enabled. Configure it on a group basis if you want members of a particular group to use a particular server. If you use internal groups, then any permissions and attributes returned by the authorization server take precedence over the attributes defined in the group.
If you are authorizing a Cisco VPN 3002 Hardware Client, the VPN Concentrator authorizes the Hardware Client itself, not the hosts behind it. Therefore, a single set of permissions applies to all hosts or PCs on the Hardware Client's LAN.
Use this screen to configure global authentication servers. To configure authorization servers for a particular groups, see Configuration | User Management | Group | Authorization Servers.
You can configure and prioritize up to 10 authorization servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative.
Before you configure an external server here, be sure that the external server you reference is itself properly configured. (For information on how to configure your server, see "Configuring an External Server for VPN Concentrator User Authorization.")Be sure that you know how to access the server--for example, you should know the IP address or host name, TCP/UDP port, and secret/password. The VPN Concentrator functions as the client of these servers.
After you have configured an external authorization server, you can also test it. Testing sends a username and password to the server to determine that the VPN Concentrator is communicating properly with it.
The VPN 3000 software CD-ROM includes a link that customers with CCO logins can use to access an evaluation copy of the CiscoSecure ACS RADIUS authentication server. The VPN 3000 software CD-ROM also has current VPN 3000 VSA registry files that let customers load new supported attributes on their ACS server, and provides instructions for using them.
Note The VPN Concentrator must communicate directly to the external authorization server for authorization to work correctly. You cannot proxy the LDAP authorization server via a RADIUS server. For example, you cannot use the Cisco Secure ACS RADIUS server to proxy user authorization LDAP requests to the external LDAP server. |
Note The VPN Concentrator logs authorization requests and replies using AUTH and AUTHDBG event classes. |
Caution As the authorization exchange is not encrypted or authenticated, place all authorization servers within the corporate network. |
Note Before you configure the VPN Concentrator for user authorization, be sure that the external server you reference is itself properly configured. For instructions on configuring an external LDAP or RADIUS server to interoperate with the VPN Concentrator, see "Configuring an External Server for VPN Concentrator User Authorization." |
Once you have configured the external server, you are ready to configure the VPN Concentrator to support the server.
Use this screen to configure the VPN Concentrator to use an external LDAP or RADIUS server for global user authorization. To add a server for a particular group, use the Configuration | User Management | Groups | Authorization Server screen.
Once you have added the server, enable user authorization on the Configuration | User Management | Base Group (or Group) IPSec tab.
The Authorization Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup.
To configure a new user-authorization server, click Add. The Manager opens the Configuration | System | Servers | Authorization | Add screen.
To modify a configured user authorization server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | Authorization | Modify screen.
To remove a configured user authorization server, select the server from the list and click Delete. The Manager refreshes the screen and shows the remaining entries in the Authorization Servers list.
Note There is no confirmation or undo. |
To change the priority order for configured servers, select the entry from the list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Authentication Servers list.
To test a configured user authorization server, select the server from the list and click Test. The Manager opens the Configuration | System | Servers | Authorization | Test screen.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. The choices are:
Find your selected server type.
Configure these parameters for a RADIUS authorization server.
Enter the IP address or host name of the RADIUS authorization server, for example: 192.168.12.34. The maximum number of characters is 32.
Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 1645.
Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812. |
Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authorization server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.
Enter the server secret (also called the shared secret) for the RADIUS server, for example: C8z077f. The VPN Concentrator uses the server secret to authenticate to the RADIUS server.
The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server.
The maximum field length is 64 characters. The field shows only asterisks.
Re-enter the RADIUS server secret to verify it. The field shows only asterisks.
The RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this VPN Concentrator. Be sure to provide this information to your RADIUS server administrator.
Enter a common password for all users who are accessing this RADIUS authorization server through this VPN Concentrator.
If you leave this field blank, each user's password will be his or her own username. For example, a user with the username "jsmith" would enter "jsmith". If you are using usernames for the Common User passwords, as a security precaution do not use this RADIUS server for authentication anywhere else on your network.
Note This field is essentially a space-filler. The RADIUS server expects and requires it, but does not use it. Users do not need to know it. |
Re-enter the Common User Password to verify it. The field shows only asterisks.
To add the new server to the list of configured user authorization servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authorization screen. Any new server appears at the bottom of the Authorization Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authorization screen, and the Authorization Servers list is unchanged.
Configure these parameters for an LDAP authorization server.
Enter the IP address or hostname of the LDAP authorization server. Enter the IP address in dotted decimal notation, for example: 192.168.12.34.
Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 389.
Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next LDAP authorization server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
Enter the Server Secret (also called the Shared Secret) for the LDAP server, for example: C8z077f. (The Server Secret should match the one you enter at the LDAP server.) The maximum field length is 64 characters. The field shows only asterisks.
Re-enter the LDAP Server Secret to verify it. The field shows only asterisks.
Enter the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request. For example, OU=people, dc=cisco, dc=com
.
Choose the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
Enter the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).
To add the new server to the list of configured user authorization servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authorization screen. Any new server appears at the bottom of the Authorization Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authorization screen, and the Authorization Servers list is unchanged.
This screen lets you test a configured user authorization server to determine that:
To test connectivity and valid authorization, enter the username for a valid user who has been configured on the authorization server. The maximum username length is 32 characters. Entries are case-sensitive.
To test connectivity and authorization rejection, enter a username that is invalid on the authorization server.
To send the username and password to the chosen authorization server, click OK. The authorization and response process takes a few seconds. The Manager displays a Success or Error screen.
To cancel the test and discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authorization screen.
If the VPN Concentrator communicates correctly with the authorization server, and the server correctly authorizes a valid user, the Manager displays a Success screen.
To return to the Configuration | System | Servers | Authorization | Test screen, click Continue. You can then test authorization for another username.
To return to the Configuration | System | Servers | Authorization screen, or any other screen, click the desired title in the left frame (Manager table of contents).
If the VPN Concentrator cannot communicate with the authorization server, the Manager displays an Authorization Error screen. Error messages include:
The server might be improperly configured or out of service, or the network might be down or clogged. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.
To return to the Configuration | System | Servers | Authorization | Test screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
This section lets you configure external RADIUS user accounting servers, which collect data on user connect time, packets transmitted, etc., under the VPN tunneling protocols: PPTP, L2TP, and IPSec.
You can configure and prioritize up to ten accounting servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative.
Before you configure an accounting server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, UDP port, server secret, etc.). The VPN Concentrator functions as the client of these servers.
The VPN Concentrator communicates with RADIUS accounting servers per RFC 2139 and currently includes the attributes in Table 5-1 in the accounting start and stop records. These attributes might change.
The Accounting Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.
To configure a new user accounting server, click Add. The Manager opens the Configuration | System | Servers | Accounting | Add screen.
To modify a configured user accounting server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | Accounting | Modify screen.
To remove a configured user authentication server, select the server from the list and click Delete.
Note There is no confirmation or undo. |
The Manager refreshes the screen and shows the remaining entries in the Accounting Servers list.
To change the priority order for configured servers, select the entry from the list and click Move [Up Arrow] or Move [Down Arrow]. The Manager refreshes the screen and shows the reordered Accounting Servers list.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Enter the IP address or host name of the RADIUS accounting server, for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
Enter the UDP port number by which you access the accounting server. The default is 1646.
Note The latest RFC states that RADIUS accounting servers should be on UDP port number 1813, so you might need to change this default value to 1813. |
Enter the time, in seconds, to wait after sending a query to the accounting server and receiving no response, before trying again. The minimum is time 1 second. The default time is 1 second. The maximum time is 30 seconds.
Enter the number of times to retry sending a query to the accounting server after the timeout period. If there is still no response after this number of retries, the system declares this server inoperative and uses the next accounting server in the list. The minimum number of retries is 0. The default number of retries is 3. The maximum number of retries is 10.
Enter the server secret (also called the shared secret), for example: C8z077f. The field shows only asterisks.
Re-enter the server secret to verify it. The field shows only asterisks.
To add this server to the list of configured user accounting servers, click Add. Or, to apply your changes to this user accounting server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Servers | Accounting screen. Any new server appears at the bottom of the Accounting Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Accounting screen, and the Accounting Servers list is unchanged.
This screen lets you configure system-wide Domain Name System (DNS) servers. DNS servers convert domain names to IP addresses. Configuring DNS servers here lets you enter host names (for example, mail01.cisco.com) rather than IP addresses as you configure and manage the VPN Concentrator.
You can configure up to three DNS servers that the system queries in order.
To use DNS functions, check the Enabled check box (the default). To disable DNS, uncheck the box.
Enter the name of the registered domain in which the VPN Concentrator resides, for example: cisco.com. The maximum name length is 48 characters. This entry is sometimes called the domain name suffix or sub-domain. The DNS system within the VPN Concentrator automatically appends this domain name to host names before sending them to a DNS server for resolution.
Enter the IP address of the primary DNS server, using dotted decimal notation, for example: 192.168.12.34. Be sure this entry is correct to avoid DNS resolution delays.
Enter the IP address of the secondary (first backup) DNS server, using dotted decimal notation. If the primary DNS server does not respond to a query within the Timeout Period specified, the system queries this server.
Enter the IP address of the tertiary (second backup) DNS server, using dotted decimal notation. If the secondary DNS server does not respond to a query within the Timeout Period specified, the system queries this server.
Enter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. The time doubles with each retry cycle through the list of servers.
Enter the number of times to retry sending a DNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
To apply your settings for DNS servers and include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Servers screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | System | Servers screen.
This section of the Manager lets you configure support for Dynamic Host Configuration Protocol (DHCP) servers that assign IP addresses to clients as a VPN tunnel is established.
If you check Use DHCP on the Configuration | System | Address Management | Assignment screen, you must configure at least one DHCP server here. You should also configure global DHCP parameters on the Configuration | System | IP Routing | DHCP screen; click the highlighted link to go there. The DHCP system within the VPN Concentrator is enabled by default on that screen.
If you want to assign users in a group to a particular IP sub-network, configure the DHCP Scope field on the Configuration | User Management | Group (or Base Group) screen, General tab.
You can configure and prioritize up to three DHCP servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative.
The DHCP Servers list shows the configured servers, in priority order. Each entry shows the server identifier, which can be an IP address or a host name, for example: 192.168.12.34. If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.
To configure a new DHCP server, click Add. The Manager opens the Configuration | System | Servers | DHCP | Add screen.
To modify a configured DHCP server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | DHCP | Modify screen.
To remove a configured DHCP server, select the server from the list and click Delete.
Note There is no confirmation or undo. |
The Manager refreshes the screen and shows the remaining entries in the DHCP Servers list.
Note If you delete a DHCP server, any IP addresses obtained from that server will eventually time out, and the associated sessions will terminate. |
To change the priority order for configured servers, select the entry from the list and click Move [Up Arrow] or Move [Down Arrow]. The Manager refreshes the screen and shows the reordered DHCP Servers list.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Enter the IP address or host name of the DHCP server, for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
Enter the UDP port number by which you access the DHCP server. The default UDP port number is 67.
To add this server to the list of configured DHCP servers, click Add. Or, to apply your changes to this DHCP server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Servers | DHCP screen. Any new server appears at the bottom of the DHCP Servers list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | DHCP screen, and the DHCP Servers list is unchanged.
If any remote users in any of the groups configured on the VPN Concentrator are receiving their firewall policy from a Zone Labs Integrity Server, specify the host name or IP address of the server here. (See the "Client FW Parameters Tab" under Configuration | User Management | Base Group or Configuration | User Management | Groups | Add or Modify for more information on configuring groups to use a firewall server.) You can configure only one server.
Enter the host name or the IP address of the Zone Labs Integrity Server from which remote users on this VPN Concentrator derive their firewall policy.
Assign a port for the VPN Concentrator to use to communicate with the firewall server. The default port is 5054.
To include your entry in the active configuration, click Apply. The Manager returns to the Configuration | System | Server screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entry, click Cancel. The Manager returns to the Configuration | System | Server screen and the server configuration is unchanged.
This section of the Manager lets you configure NTP (Network Time Protocol) servers that the VPN Concentrator queries to synchronize with network time.
Clocks in many computers tend to drift a few seconds per day. Exact time synchronization is important for systems on a network so that protocol timestamps and events are accurate. Digital certificates, for example, carry a timestamp that determines a time frame for their validity. An inaccurate time or date could prevent connection.
To make the NTP function operational, you must configure at least one NTP server (host). You can configure up to 10 NTP servers. The VPN Concentrator queries all of them and synchronizes its system clock with the derived network time.
This Manager screen lets you configure the NTP synchronization frequency parameter. This parameter specifies how often the VPN Concentrator queries NTP servers to synchronize its clock with network time.
Enter the synchronization frequency in minutes. The minimum is frequency is 0 minutes, which disables the NTP function. The default frequency is 60 minutes. The maximum frequency is 10080 minutes (1 week).
To apply your NTP parameter setting and include the setting in the active configuration, click Apply. The Manager returns to the Configuration | System | Servers | NTP screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | System | Servers | NTP screen.
This section of the Manager lets you add, modify, and delete NTP hosts (servers).
To make the NTP function operational, you must configure at least one NTP host. You can configure a maximum of 10 hosts. The VPN Concentrator queries all configured hosts and derives the correct network time from their responses.
The NTP Hosts list shows the configured servers. Each entry shows the server identifier, which can be an IP address or a host name, for example: 192.168.12.34. If no servers have been configured, the list shows --Empty--.
To configure a new NTP host (server), click Add. The Manager opens the Configuration | System | Servers | NTP | Hosts | Add screen.
To modify a configured NTP host, select the host from the list and click Modify. The Manager opens the Configuration | System | Servers | NTP | Hosts | Modify screen.
To remove a configured NTP host, select the host from the list and click Delete.
Note There is no confirmation or undo. |
The Manager refreshes the screen and shows the remaining entries in the NTP Hosts list.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Enter the IP address or host name of the NTP host (server), for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
To add this host to the list of configured NTP hosts, click Add. Or, to apply your changes to a configured NTP host, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Servers | NTP | Hosts screen. Any new host appears at the bottom of the NTP Hosts list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entry, click Cancel. The Manager returns to the Configuration | System | Servers | NTP | Hosts screen, and the NTP Hosts list is unchanged.
Posted: Wed Jul 16 12:48:41 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.