Specifications

ManualsBrandsCisco ManualsHome building and DecorPIX 525

431

432

433

434

435

436

437

438

439

440

25-20

Cisco Security Appliance Command Line Configuration Guide

OL-6721-01

Chapter 25 Configuring Tunnel Groups, Group Policies, and Users

Group Policies

The parameter value domain-name provides a domain name that the security appliance resolves through

the split tunnel. The none keyword indicates that there is no split DNS list. It also sets a split DNS list

with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a

default or specified group policy.

hostname(config-group-policy)# split-dns {value

domain-name1

[

domain-name2...

domain-nameN

] | none}

hostname(config-group-policy)# no split-dns [

domain-name domain-name2 domain-nameN

]

Enter a single space to separate each entry in the list of domains. There is no limit on the number of

entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric

characters, hyphens (-), and periods (.).

The following example shows how to configure the domains Domain1, Domain2, Domain3, and

Domain4 to be resolved through split tunneling for the group policy named “FirstGroup”:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4

Step 22 Specify whether to enable secure unit authentication by entering the secure-unit-authentication

command with the enable keyword in group-policy configuration mode.

hostname(config-group-policy)# secure-unit-authentication {enable | disable}

hostname(config-group-policy)# no secure-unit-authentication

Secure unit authentication provides additional security by requiring VPN hardware clients to

authenticate with a username and password each time that the client initiates a tunnel. With this feature

enabled, the hardware client does not have a saved username and password. Secure unit authentication

is disabled by default.

To disable secure unit authentication, enter the disable keyword. To remove the secure unit

authentication attribute from the running configuration, enter the no form of this command. This option

allows inheritance of a value for secure unit authentication from another group policy.

Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username

and password.

Secure unit authentication requires that you have an authentication server group configured for the

tunnel group the hardware client(s) use.

If you require secure unit authentication on the primary security appliance, be sure to configure it on any

backup servers as well.

The following example shows how to enable secure unit authentication for the group policy named

“FirstGroup”:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# secure-unit-authentication enable

Step 23 Specify whether to enable user authentication by entering the user-authentication command with the

enable keyword in group-policy configuration mode.

hostname(config-group-policy)# user-authentication {enable | disable}

hostname(config-group-policy)# no user-authentication

To disable user authentication, enter the disable keyword. To remove the user authentication attribute

from the running configuration, enter the no form of this command. This option allows inheritance of a

value for user authentication from another group policy.