Concept Guide

71| aaa authentication vpn Dell Networking W-Series ArubaOS 6.5.x| Reference Guide
Parameter Description Default
max-authentication-failures <number>
Maximum number of authentication
failures before the user is blacklisted. The
supported range is 1-10 failures. A value of
0 disables blacklisting.
NOTE: This parameter requires the
RFProtect license.
0 (disabled)
no
Negates any configured parameter.
pan-integration
Require IP mapping at Palo Alto Networks fire-
walls.
disabled
radius-accounting <
Configure server group for
RADIUSaccounting
server-group <group>
Name of the group of servers used to
authenticate VPN users. See aaa server-
group on page 107.
internal
user-idle-timeout
The user idle timeout for this profile.
Specify the idle timeout value for the client
in seconds. Valid range is 30-15300 in
multiples of 30 seconds. Enabling this
option overrides the global settings
configured in the AAA timers. If this is
disabled, the global settings are used.
Usage Guidelines
This command configures VPN authentication settings for VPN, RAP and CAP clients.Use the vpdn group
command to configure Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) or a Point-to-
Point Tunneling Protocol (PPTP) VPN connection. (See vpdn group l2tp on page 2227.)
Example
The following command configures VPN authentication settings for the default-rap profile:
aaa authentication vpn default-rap
default-role guest
clone default
max-authentication-failures 0
server-group vpn-server-group
The following message appears when a user tries to configure the non-configurable default-cap profile:
(host) (config) #aaa authentication vpn default-cap
Predefined VPN Authentication Profile "default-cap" is not editable
The following example describes the steps to use the CLI to configure a VPN for Cisco Smart Card Clients using
certificate authentication and IKEv1, where the client is authenticated against user entries added to the internal
database:
(host)(config) #aaa authentication vpn default
server-group internal
(host)(config) #no crypto-local isakmp xauth