Transcript
Application Note
Configuring a Cisco SA 500 for Active Directory Authentication of SSL VPN Clients This application note document provides information on how to enable the authentication of SSL VPN Clients with Active Directory on a Cisco SA 500 Series security appliance.
Contents Overview 2 Scope and Assumptions 2 Requirements
2
Configuring the SA 500 for Active Directory Authentication of VPN Clients 2 Establishing a SSL VPN Connection By Using a Different Port Number 35 Appendix 40 For More Information 46
© 2010 Cisco Systems, Inc. All rights reserved.
Page 1 of 46
Overview The Cisco SA 500 is a small business security router that provides SSL VPN access to remote users. SSL VPN is a flexible and secure way to extend network resources to virtually any remote user who has access to the Internet and a Web browser. A benefit is that you do not have to install and maintain VPN client software on the remote machines. Users can remotely access the network by using a web browser. When the tunnel is established, each user will have an IP address on the internal network to allow them to use shared resources and applications. Alternatively, you can use SSL VPN Port Forwarding to provide remote access to specific services and applications on your network: Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories. Active Directory is designed especially for distributed networking environments. You can use an Active Directory authentication server so that SSL VPN Clients can authenticate to the SA 500 with their current Active Directory account. Before you begin, make sure that your users can successfully authenticate to the Active Directory server. You can then use the Security Appliance Configuration Utility to configure your SA 500.
Scope and Assumptions The procedures and guidelines in this application note assume that your SA 500 is set up for Internet connectivity and has a basic configuration. It only applies to a SA 500 running firmware version 1.1.62 or later. Using different versions might display slightly different screens and configurations that what are described in this document.
Requirements Before you begin the configuration, make sure that you have the following information: •
Windows Active Directory server IP address and FQDN (Fully Qualified Domain Name).
•
IP addresses, port numbers, and account information for application servers and computers.
Configuring the SA 500 for Active Directory Authentication of VPN Clients Follow the steps in these sections to enable Active Directory authentication of VPN Clients: •
Enabling Remote Management (RMON)
•
Customizing a Portal Site
•
Configuring Domains, Groups, and User Lists
•
Configuring SSL VPN Port Forwarding
•
Configuring Resources
•
Configuring SSL VPN Policies
•
SSL VPN Tunnel Client Configuration
•
Connecting to the SSL VPN Site
© 2010 Cisco Systems, Inc. All rights reserved.
Page 2 of 46
Enabling Remote Management (RMON) To access the router securely from a remote wide-area network (WAN) you first need to enable the remote management option. To enable remote management: Step 1.
Login to the SA 500 as administrator by entering this address: 192.168.75.1. –
The default username is cisco.
–
The default password is cisco.
Note: For security purposes, we highly recommend that you change the default passwords before continuing. When remote management is enabled, the router is accessible to anyone who knows its IP address which increases the possibility of a malicious WAN attack. To change the password, click Administration > Users from the Configuration Utility main page. Step 2.
Click Network Management on the menu bar, and then click Remote Management in the navigation tree. The Remote Management (RMON) window appears.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 3 of 46
Step 3.
Enter the following information:
•
Enable Remote Management: Check the box to enable Remote Management and SSL VPN access.
•
Access Type: Choose one of these permission levels for the remote management/SSL VPN user IP addresses: –
All IP Addresses: Users can login from any address. If you select this option, make sure that you change the default address and set strong login/password settings.
–
IP Address Range: Enter the range of allowed IP addresses. If you select this option, enter the From: starting IP address for the allowed range and To: ending IP address for the allowed range.
•
Only this PC: When enabled, only the current computer will be allowed to login remotely. Enter the IP address of the computer that has remote management permissions.
•
Port Number: Set the port number used for remote management. In this example, the port number is set to port 443. Note: Using a port other than 443 or 60443 will disable QuickVPN access.
•
Remote SNMP Enable: Check this box to enable SNMP for the remote connection.
Step 4.
Click Apply to save your settings.
Customizing a Portal Site The router contains a default SSL VPN portal for users, but you can also customize different portal sites for different groups.You can modify the title, banner heading, banner message, security settings, and access type (VPN tunnel, port forwarding, or both). Note: Verify that Remote Management (RMON) is enabled on the router. Otherwise, SSL VPN access will be blocked. The following window shows the default SSL VPN Portal page:
© 2010 Cisco Systems, Inc. All rights reserved.
Page 4 of 46
To customize the Portal page for a group. Step 1.
Click VPN on the menu bar, and then click SSL VPN Server > Portal Layouts in the navigation tree.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 5 of 46
The Portal Layouts window appears.
Step 2.
Click Add.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 6 of 46
The Portal Layout Configuration window appears.
Step 1.
Configure the Layout settings for the portal. In this example, the portal name and title names is Channel.
Portal Layout and Theme Name •
Portal Layout Name: Enter a unique name for your portal.
•
Portal Site Title: Enter the web browser window title for the portal.
•
Banner Title (Optional): Enter the banner title for this group.
•
Banner Message: Enter a message for the group’s SSL VPN users. For example: “Welcome to Channel Sales group SSL VPN Portal Page. Login with your domain account. Please follow company security policies.”
•
Display banner message on login page: Check this box to display both the Banner Title and Banner Message on the portal’s login page.
•
HTTP meta tags for cache control (recommended): Check this box to ensure that client’s browsers do not cache SSL VPN portal pages and other web content. The HTTP meta tags cache control directives prevent out-of-date web pages and data from being stored on the client’s web browser cache.
•
ActiveX web cache cleaner: Check this box to load an ActiveX cache control whenever users login to this SSL VPN portal.
Step 2.
Select the SSL VPN Portal pages that users can access in this portal by enabling the VPN Tunnel or Port Forwarding pages.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 7 of 46
Note. Any page that is not selected will not be visible from the SSL VPN portal navigation menu. However, users can still access the hidden pages unless SSL VPN access policies are created to prevent access to these pages. See Configuring SSL VPN Policies, page 24. Step 3.
Click Apply to save the portal page.
Configuring Domains, Groups, and User Lists You can configure details of User accounts as it pertains to SSL VPN. You can specify the user privileges, control user access to network resources, and streamline the setup process by organizing VPN users into domains and groups that share VPN policies. Configuring Domains Step 1.
Click Administration on the menu bar, and then click User > Domains in the navigation tree. The Domains window appears.
Step 2.
Click Add.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 8 of 46
The Domains Configuration window appears.
Step 3.
In the Domains Configuration area, enter this information: –
Domain Name: Enter a unique name for your domain. For example: sbsbulab.com.
–
Authentication Type: Enter the Authentication type for this Domain. For example: Active Directory.
–
Select Portal: Choose a portal layout from the drop-down list. For example: Sales. Only the users of the associated domain can log in through the chosen portal.
–
Authentication Server: Enter the IP address of the authentication server. For example: 192.168.75.82
–
Active Directory Domain: For Active Directory authentication, enter the Active Directory’s domain. For example: sbsbulab.com. Contact your Active Directory administrator for this domain name. Users that are registered in the Active Directory database can access the SSL VPN portal by using their Active Directory username and password.
Step 4.
Click Apply to save the Domains configuration.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 9 of 46
The new domains are added to the List of Domains.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 10 of 46
Adding Groups If you have a large pool of users, we recommend that you create Groups.Groups are used to separate logical sets of SSL VPN users that share the authentication domain, LAN and services access rules, and idle timeout settings. To add a group: Step 1.
Click Users > Groups in the navigation tree. The Groups window appears.
Step 2.
Click Add.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 11 of 46
The Group Configuration window appears.
Step 3.
Step 4.
Enter this information: –
Group Name: Enter a unique identifier for the group. For example: Sales.
–
Domain: Assign a domain from the drop-down list of authentication domains. In this example, the domain is: sbsbulab.com
–
Idle Timeout: Enter the number of minutes of activity allowed before a user session is ended. The default timeout is 10 minutes. Click Apply to save the group configuration.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 12 of 46
The new group appears in the List of Groups.
Creating Users and Assigning to Groups To create users and assign them to groups: Step 1.
Click Users > Users in the navigation tree.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 13 of 46
The Users window appears.
Step 2.
Click Add.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 14 of 46
The Users Configuration window appears.
Step 3.
Step 4.
Enter the following information for each user in the Active Directory Domains and Groups: –
User Name: Enter a unique name for each user. The value must match the user’s account on the Active Directory server. For example: JoeD.
–
First Name: Enter the user’s first name.
–
Last Name: Enter the user’s last name.
–
User Type: Identify the user’s account type (SSL VPN User, Administrator, Guest). In this example, the user account specified is: SSL VPN User.
–
Select Group: Choose a user’s Group membership from the drop-down list.
–
Password: Not applicable.This field is grayed out for Active Directory Group members.
–
Idle Timeout: Enter the number of minutes of inactivity allowed before a user’s session is ended.The default timeout is 10 minutes. The timeout value for the individual user has precedence over the timeout for the group. Click Apply to save the user configuration.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 15 of 46
The new users are added to the List of Users.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 16 of 46
Configuring SSL VPN Port Forwarding Port forwarding allows you to detect and reroute data sent from remote users to the SSL VPN gateway to predefined applications running on private networks. This section describes how to configure application and hosts for port forwarding. Configuring Applications for Port Forwarding The following table lists the common applications for port forwarding and their corresponding TCP port numbers. TCP Application FTP Data (usually not needed) FTP Control Protocol SSH Telnet SMTP (send mail) HTTP (web) POP3 (receive mail) NTP (network time protocol) Citrix Terminal Services VNC (virtual network computing
Port Numbers 20 21 22 23 25 80 110 123 1494 3389 5900 or 5800
To configure an application for port forwarding: Step 1.
Click VPN on the menu bar, and then click SSL VPN Server > Port Forwarding in the navigation tree.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 17 of 46
The Port Forwarding window appears.
Step 2.
Click Add from the list of Configured Applications for Port Forwarding.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 18 of 46
The Port Forwarding Application Configuration window appears.
Step 3.
Step 4.
Enter the following information: –
Local Server IP Address: Enter the IP address of the server hosting the application. For example: 192.168.75.82
–
TCP Port Number: Enter the TCP port number for the application. In this example, enter enter 443 to specify HTTPS. Click Apply to save your settings.
Configuring Hosts for Port Forwarding To simplify access to the shared hosts on the local network, you can configure hosts for Port Forwarding. With this option, remote users can use the FQDN host names (such as ftp.sbsbulab.com), instead of harder to remember IP addresses. To configure a host for port forwarding: Step 5.
From the Port Forwarding window, click Add from the list of Configured Names for Port Forwarding table.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 19 of 46
The Port Forwarding Host Configuration window appears.
Step 6.
Step 7.
Enter the following information: –
Local Server IP Address: IP address of the server hosting the application. For example: 192.168.75.82.
–
Fully Qualified Domain Name: Name of the host server where the port forwarded application resides. For example: ftp.sbsbulab.com. Click Apply to save your changes.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 20 of 46
Configuring Resources Network resources are a collection of services or host that are used to easily create and configure VPN policies for groups or users. Resources are helpful when there are many resources per host, or if many hosts are providing resources to remote users. To add a resource: Step 1.
Click VPN on the menu bar, and then click SSL VPN Server > Resources in the navigation tree. The Resources window appears.
Step 2.
Click Add Resource.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 21 of 46
The Resource Configuration window appears.
Step 3.
Step 4.
Enter the following information: –
Resource Name: Enter a unique name to identify this resource. For example: Email.
–
Service: Choose one of the supported SSL VPN services to associate with this resource. Select either VPN Tunnel, Port Forwarding, or All (both). Click Apply to save your settings. The new resource appears in the List of Resources on the Resources window.
Step 5.
From the List of Resources, click Add Object to Resource to add all objects that correspond to the resource.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 22 of 46
The Resource Object Configuration window appears.
Step 6.
Step 7.
Specify the resource information: –
Object Type: Select the object type (IP Address or IP Network).
–
Object Address: Enter the object IP address. For example: 192.168.75.82.
–
Mask Length: If you selected IP Network as the object type, enter the mask length.
–
Port Range/Port Number: Enter the object’s port Begin and End numbers. For example: 110 and 110 for POP3. Click Apply to save the object to the Resource you are editing. Note: You can enter as many resources that you need for your defined resource. For example, if you are configuring a resource for email, you can specify the ports and email server hosts that provide email service to remote users.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 23 of 46
Configuring SSL VPN Policies SSL VPN Policies give Administrators control over which resources are accessed by specific SSL VPN Groups and Users. You can create global, group and user policies that apply to a specific network resource, an IP address, an IP address range, or other services. Policies are applied based on precedence. User level policies take highest priority, followed by Group policies, and finally the Global policies. Policies can be offered to the VPN Tunnel, Port Forwarding or both access groups. Note: By default the Security Appliance’s VPN tunnel is configured for Global PERMIT policy over all addresses, services and ports. It is good practice to place restrictive DENY policies on the global groups and proceed to place permit policies on groups and users. Alternatively, start with Global PERMIT policies and then create DENY policies for Groups and Users to block resources that you do not want to be accessed remotely. To configure an SSL VPN Policy: Step 1.
Click VPN on the Menu bar, and then select SSL VPN Server > SSL VPN Policies on the navigation tree. The SSL VPN Policies window appears.
Step 2.
Click Add to create a new VPN policy.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 24 of 46
The SSL VPN Policy Configuration window appears.
Step 3. •
Enter the following information: Policy For: Choose the type of policy: –
Global: All users of the device.
–
Group: Group of users of the device. If you choose this option, also choose the group from the Available Groups list
–
User: A particular user of the device. If you choose this option, also choose the user from the Available Users list
•
Available Groups: Allows you to add a group-level policy for the selected group.
•
Available Users: Allows you to add a user-level policy for a particular user.
Step 4.
In the SSL VPN Policy area, enter the following information: –
Apply Policy to: Choose to apply the policy to a Network Resource, an IP address, an IP network, or All Addresses that are managed by the device.
–
Policy Name: Enter a unique name to identify this policy. If you create a policy with same name as that of any existing policy, the newly policy overwrites the existing one.
–
IP Address: If you chose IP Address or Network Resource in the Apply Policy to field, enter the IP address of the device.
–
Mask Length: If you chose IP Network in the Apply Policy to field, enter the length of the subnet mask.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 25 of 46
Step 5.
–
Port Range / Port Number (Begin & End): Specify a port or a range of ports to apply the policy to all TCP and UDP traffic with those ports. Leave the fields empty to apply the policy to all traffic.
–
Service: Choose VPN Tunnel, Port Forwarding, or All Services Defined.
–
Defined Resources: Choose the services for a particular policy. This option is available only for policies that are applied to a Network Resource.
–
Permission: Choose either Permit or Deny for this policy. Click Apply to save your settings.
SSL VPN Tunnel Client Configuration An SSL VPN tunnel client provides a point-to-point connection between the browser-side machine and the security appliance. When a SSL VPN client is launched from the user portal, a network adapter with an IP address from the corporate subnet, DNS and WINS settings is automatically created. This allows access to services on the private network without any special network configuration on the remote SSL VPN client machine. Make sure that the virtual (PPP) interface address of the VPN tunnel client does not conflict with the address of any physical devices on the LAN. The IP address range for the SSL VPN virtual network adapter should be either in a different subnet or non-overlapping range as the corporate LAN. If the SSL VPN client is assigned an IP address in a different subnet than the corporate network, a client route must be added to allow access to the private LAN through the VPN tunnel. Configuring the SSL VPN Client To configure an SSL VPN tunnel for a client: Step 1.
Click VPN on the menu bar, and then click SSL VPN Client > SSL VPN Client in the navigation tree.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 26 of 46
The SSL VPN Client window appears.
Step 2.
Enter the following information: –
Enable Split Tunnel Support: Check this box to enable Split Tunnel Mode Support, or uncheck this box for Full Tunnel Mode Support. Note. With Full Tunnel Mode, all of the traffic from the host is directed through the tunnel. With Split-Tunnel Mode, the tunnel is used only for the traffic that is specified by the client routes. If you enable Split Tunnel Support, you also need to configure SSL VPN Client Routes.
–
DNS Suffix (Optional): DNS Suffix for this client
–
Primary DNS Server (Optional): IP Address of the Primary DNS Server for this client.
–
Secondary DNS Server (Optional): IP address of the secondary DNS Server for this client.
–
Client Address Range Begin: First IP address that will be assigned to SSL VPN clients.
–
Client Address Range End: Last IP address that will be assigned to SSL VPN clients. Make sure that you configure an IP address range that does not directly overlap with any of addresses on your local network. For example, the default range shown on the window above is 192.168.251.1 to 192.168.251.254.
Step 3.
Click Apply to save your settings.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 27 of 46
Configuring Client Routes for Split Tunnel Mode Step 1.
Click VPN on the menu bar, and then click SSL VPN Client > Configured Client Routes in the navigation tree. The Configured Client Routes window appears.
Step 2.
Click Add.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 28 of 46
The SSL VPN Client Route Configuration window appears.
Step 3.
Step 4.
Enter the following information: –
Destination Network: Enter the destination subnet to which a route is added on the SSL VPN Client.
–
Subnet Mask: Enter the subnet mask for the destination network. Click Apply to save your settings.
Connecting to the SSL VPN Site This section describes how remote users can connect to the SSL VPN site. It consists of the following information: •
Connecting to the Portal
•
Connecting through an SSL VPN Tunnel
•
Connecting through SSL VPN Port Forwarding
Note: When connecting to the SA 500 through a VPN tunnel or through VPN Port Forwarding, do not reload your browser. Otherwise, the SSL VPN Tunnel client will disconnect and then reconnect to the remote network. To prevent this from happening, we strongly recommend that you uninstall any active clients, logout, and then close the browser.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 29 of 46
Connecting to the Portal To connect to the portal: Step 1.
The user starts a web browser and then enters the portal URL. –
The default SSL VPN portal URL is: https://
/portal/ SSLVPN.
–
If the user belongs to a group that is using a customized portal, the URL will be in this format: https:///portal/. For example: https://12.108.13.55/portal/Sales. Note. Java, Java Script, and Active-X controls must also be enabled or allowed in the web browser settings.
Step 2.
The user enters their Active DIrectory username and password to log in to the portal. The Portal Info window appears. Note. The window only shows the configured services for that particular account (VPN Tunnel, Port Forwarding, or Both).
© 2010 Cisco Systems, Inc. All rights reserved.
Page 30 of 46
Connecting through an SSL VPN Tunnel Step 1.
On the Portal Info page, select the VPN Tunnel option on the navigation menu.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 31 of 46
The VPN Tunnel window appears.
Step 2.
Click the icon to connect to the remote network. Keep your browser open to maintain the connection.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 32 of 46
The remote user can now employ those resources to which there is permission.
Note: We Strongly Recommend that you always follow this sequence to make the connection safer, easier to maintain, and avoid possible errors: Disconnect and Uninstall the Cisco-SSLVPN Tunnel, logout, and close the browser window.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 33 of 46
Connecting through SSL VPN Port Forwarding Step 1.
On the Portal Information page, select the Port Forwarding on the navigation menu. The Port Forwarding/Client Installer/Launcher window appears.
Step 2.
Click the icon to connect to the network ports you want to forward. Keep your browser open to maintain the connection. You can now launch the applications that are using Port Forwarding.
Note: We Strongly Recommend that you always follow this sequence to make the connection safer, easier to maintain, and avoid possible errors: Disconnect and Uninstall the Cisco-SSLVPN Tunnel, logout, and close the browser window.
Step 3.
To see the Port Forwarding status double-click the SSL VPN Port Forwarding (airplane) icon on the Taskbar.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 34 of 46
The SSL VPN Port Forwarding status window appears.
Establishing a SSL VPN Connection By Using a Different Port Number If the default WAN Port (443) is being used by another service or application, you can change the default port that SSL VPN clients access. This section describes how to create a new service port and how to forward it to LAN port 443. This means that instead of logging in to the SA 500 through the WAN, you will login through the LAN instead. Creating a New Service Port To create a new service port: Step 1.
Log in to the router by using Administrator account.
Step 2.
Click Firewall on the menu bar, and then click Firewall > Services in the navigation tree.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 35 of 46
The Custom Services window appears.
Step 3.
Click Add.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 36 of 46
The Custom Services Configuration window appears.
Step 4.
Enter the following information:
•
Name: Enter a unique name for your custom service. For example: NEWSSL_PORTAL.
•
Type: Select the protocol that the service uses from the drop-down menu (TCP, UDP, or ICMP). –
If you choose ICMP or ICMPv6, also enter the ICMP Type.
–
If you choose TCP or UDP, specify the port range by entering the Start Port and the Finish Port.
•
Start Port: The first TCP or UDP port of a range that the service uses. If the service uses only one port, the start port will be the same as the end port. In this example the port number is: 60444.
•
End Port: The last TCP or UDP port of a range that the service uses. In this example the end Port is the same as Start Port: 60444. Note. Make sure that the port(s) chosen is/are not in use by any other application or service. Otherwise, that port will conflict with an application resource in use in their environment.
Step 5.
Click Apply to save your settings.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 37 of 46
Creating a Firewall Rule for the Service Port After you create a new service port, you need to create a firewall rule to forward that port to LAN port 443. In this example, the WAN port number used is: 60444. To create a firewall rule for the new service port: Step 1.
Click Firewall on the menu bar, and then click Firewall > IPv4 Rules in the navigation tree. The IPv4 Firewall Rules page appears.
Step 2.
Click Add to create the IPv4 Rule that will forward WAN traffic from port 60444 to LAN port 443. The IPv4 Firewall Select Rules window appears.
Step 3.
Enter the following information: –
From Zone: The source of traffic controlled by this rule. For example: UNSECURE (Dedicated WAN/Optional WAN).
–
To Zone: The destination of traffic controlled by this rule. For example: SECURE (LAN).
–
Action: The action the firewall takes if this rule is met. For example: ALLOW Always.
–
Source Hosts: The hosts that will be using this firewall rule. For example: Never.
–
Log: Specifies whether the packets for this rule should be logged. For example: Any.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 38 of 46
Step 4.
–
Internal IP Address: The host that is the recipient of traffic according to the firewall rule. In this example we use the LAN IP address of the Security Appliance (192.168.75.1).
–
Enable Port Forwarding: Check the box to enable port forwarding to the port specified in the Translate Port Number field.
–
Translate Port Number: The port number to use for port forwarding. For example: 443.
–
External IP Address: The WAN interface where the remote clients will connect through. For example: Dedicated WAN. Click Apply to save your settings. The new firewall rule appears in the IPv4 Firewall Rules window.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 39 of 46
Step 5.
Connect through the new port.
Appendix Modifying End User Polices You can strengthen the router’s security by adding login policies for each user that you define. You can can also edit a policy to deny login rights for user, a policy to deny a user login rights, or edit the user login policy by login, browser or IP address. To add or edit use login policies: Step 1.
Click Users > Users in the navigation tree.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 40 of 46
The Users window appears.
User Login Policy Step 1.
From the Users window, click the Login icon in the Edit User Policies column.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 41 of 46
The Users/User Login Policies window appears,
Step 2.
Step 3.
To deny login for a user, select one of these options: –
Disable Login: Check this box to disable the account, or uncheck this box to enable the account. This setting cannot be changed for the default admin account.
–
Deny Login from WAN Interface: Check this box to prevent the user from logging in from the WAN, or uncheck this box to allow the user to log in from the WAN. This setting cannot be changed for the default admin account. Click Apply to save your settings.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 42 of 46
User Login Policy By Browser Step 1.
From the Users window, click the By Browser icon in the Edit User Policies column. The Users/User Policy By Client Browser window appears.
Step 2.
Step 3.
To add or edit user login browser policies, select one of these options: –
In the User Policy By Client Browser area, select either Deny Login from Defined Browsers or Allow Login only from Defined Browsers.
–
To add a browser, choose a client browser from the Add Defined Browser table and click Add.
–
To delete a browser, check the box next the browser, and click Delete. Click Apply to save your settings.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 43 of 46
User Login Policy By IP Address Step 1.
From the Users window, click the By IP icon in the Edit User Policies column. The Users/User Policy By Source IP Address window appears.
Step 2.
To add defined addresses for the policies, click Add from the Defined Addresses table.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 44 of 46
The Defined Addresses window appears.
Step 3.
Choose a source type from the drop-down list (Individual IP address or IP network).
Step 4.
Enter the IP address or IP network address range. If the IP address is a range, also enter the Mask Length value (0-32)
Step 5.
Click Apply to save your settings.
© 2010 Cisco Systems, Inc. All rights reserved.
Page 45 of 46
For More Information Product and Support Resources
Location
SA 500 Technical Documentation
www.cisco.com/go/sa500resources
Cisco Partner tools
www.cisco.com/go/partners
Cisco Small Business Support Community
www.cisco.com/go/smallbizsupport
Cisco.com Technical Support page
http://www.cisco.com/en/US/support/index.html
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R) © 2010 Cisco Systems, Inc. All rights reserved. OL-23714-01
© 2010 Cisco Systems, Inc. All rights reserved.
Page 46 of 46