steps: Step 1 In the User
Authentication (XAuth) window, check the Enable User
Authentication check box. Step 2 Click the Local
Only radio button. When the Local Only option is
chosen, all users will be in the router configuration in
NVRAM. Step 3 Add users by clicking Add User
Credentials. The User Accounts window shown in Figure
opens. Follow this procedure to add a new user account:
Step 1 Click Add. Step 2 An Add an
Account window opens. Enter a username in the
Username field. Step 3 Enter and confirm a
password in the password fields. Step 4 Leave the
default level 1 in the Privilege Level drop-down menu
for VPN users. Step 5 Click OK. Step 6
Click OK in the User Accounts window. When you
are back on the User Authentication (XAuth) window,
click Next to continue.
Content 3.8
Configuring Easy VPN Server using Cisco SDM 3.8.7
Storing Group Policy Configurations on an External User
Database via RADIUS The second option for group
authorization uses a RADIUS server for group authorization.
Figure shows the screen that is used to add a RADIUS server:
Step 1 In the Group Authorization and Group Policy
Lookup window, click the RADIUS radio button in the
Method List for Group Policy Lookup section. Step 2
Click Add to add a RADIUS server. An Add RADIUS Server
window opens as shown in Figure : Step 1 Click Add
RADIUS Server to add the RADIUS server parameters. Step
2 Specify the IP address of the server, RADIUS
authorization port, and RADIUS authentication port (use ports
1645 and 1646 for Cisco Secure Access Control Server [ACS], and
ports 1812 and 1813 for other RADIUS servers). Step 3
For security purposes, use a key to authenticate individual
RADIUS messages. To configure the key, check the Configure
Key check box and enter the key in the New Key and Confirm
Key fields. Step 4 Click OK to return to the
Group Authorization and Group Policy Lookup window. When you
are back on the Group Authorization and Group Policy Lookup
window, click Next to continue. The User Authentication
(XAuth) window appears. Using an Existing RADIUS
Server
If RADIUS is already used for user
authentication, you can use a previously configured RADIUS
server or define a new server. Figure shows the steps you use
to store the user records to a RADIUS and local user database:
Step 1 In the User Authentication (XAuth)
window, select the Enable User Authentication check
box. Step 2 Click the RADIUS and Local Only
radio button. Step 3 Click Next to continue.
Alternatively, you can select a previously configured AAA
authentication template by clicking the Select an existing
AAA method list radio button and choosing a method list
from the drop-down menu.
Content 3.8
Configuring Easy VPN Server using Cisco SDM 3.8.8
Local Group Policies Now that you have completed the
Group Policy Configuration Location option, you can
create local group policies. After clicking Next on the
User Authentication (XAuth) window, the screen in Figure
appears. This is the page where you configure local group
policies.Note the tabs providing the following options:
- General parameters
- DNS/WINS
- Split
tunneling
- Advanced options
- Xauth
Options
In the Group Authorization and User Group
Policies window, click Add to add a group policy.
The Add Group Policy window appears. You could skip this
step if you intended to store group policies on an AAA server
(this storage is useful when you are managing a large number of
VPN servers). General Parameters
Figure shows the
Add Group Policy widow where you set general
parameters. Use the General tab to configure the minimum
required parameters for a functional group policy: Step
1 Define a name of the group. Step 2 Enter and
re-enter the pre-shared key for the group. Step 3
Specify an IP address pool where addresses are taken from and
assigned to clients. You have two choices: - Create a
new pool. This option requires that you enter the starting and
ending IP address and an optional subnet mask.
- Select
from an existing pool. Choose the existing pool from the
drop-down menu. Click the Details button if you want to
know more about the available choices.
DNS
The next tab is the DNS/WINS tab, shown in
Figure , where you configure a DNS. Select the DNS/WINS
tab to configure the DNS and WINS servers: Step 1 If
any internal DNS servers are required by clients in order to be
able to resolve hostnames that are only reachable inside the
VPN, you must check the Configure DNS Server check box
and enter the required parameters. Step 2 If a WINS
servers is required by clients, check the Configure WINS
Server check box and enter the parameters. Split
Tunneling
Split Tunneling is the next tab that
you can configure. You should keep split tunneling disabled
(default) to prevent any compromised client PC from becoming a
proxy between the Internet and the VPN. If, however, split
tunneling is required, you should complete one of the following
two configuration options on the Split Tunneling tab. Figure
3.8.8.4 shows the screen that you use to configure split
tunnels: Step 1 Check the Enable Split
Tunneling check box. Step 2 Click the Enter the
protected subnets radio button. Step 3 Click
Add to add a network. Step 4 The Add a
Network window appears. Use this window to enter the IP
address and network mast of the protected networks (all other
destinations can be reached by bypassing the tunnel). Step
5 Click OK. Alternatively, in Step 2, click the
Select the Split tunneling ACL radio button to use an
existing ACL (from the drop-down menu) or create a new ACL to
configure split tunneling. Client Settings
Figure
shows the Client Settings tab where you configure advanced
options. On the Client Settings tab, you can also define a list
of backup servers to push to clients: Step 1 Click
Add. Step 2 In the Add Easy VPN
Server/Concentrator window that appears, enter an IP
address or hostname for a backup server and click OK.
Step 3 Check the Firewall Are-U-There check
box. Step 4 Check the Include Local LAN check
box. Xauth Options
Figure shows the screen that is
used to configure user authentication. Configure user
authentication using Xauth with these additional options on the
XAuth Options tab: Step 1 Check the Group Lock
check box to statically tie a user to a VPN group where users
will have to use their group name as part of the Xauth
username. Step 2 Check the Save Password check
box to allow the user to save the password in the VPN client.
Step 3 In the Maximum Logins Allowed Per User
field, enter the maximum number of concurrent logins that are
permitted per user. Having a maximum number of logins prevents
multiple users from sharing the same account at the same time.
Step 4 Click OK. The Group Authorization and
User Group Policies window appears. When you are back on the
Group Authorization and User Group Policies window,
click Next to continue.
Content 3.8
Configuring Easy VPN Server using Cisco SDM 3.8.9
Completing the Configuration Once you have finished all
the steps to configuring the Easy VPN Server, the Easy VPN
Server wizard presents a summary of the configured parameters.
Figures and show the Summary pages. Click Back to
correct any errors in the configuration. Otherwise, click
Finish to apply the configuration to the router.