30-42
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 30 Configuring Connection Profiles, Group Policies, and Users
Group Policies
hostname(config-group-policy)#
no password-storage
hostname(config-group-policy)#
Specifying the
no
form enables inheritance of a value for password-storage from another group policy.
This command does not apply to interactive hardware client authentication or individual user
authentication for hardware clients.
The following example shows how to enable password storage for the group policy named
FirstGroup:
hostname(config)#
group-policy FirstGroup attributes
hostname(config-group-policy)#
password-storage enable
hostname(config-group-policy)#
Step 2
Specify whether to enable IP compression, which is disabled by default.
hostname(config-group-policy)#
ip-comp
{
enable
|
disable
}
hostname(config-group-policy)#
To enable LZS IP compression, enter the
ip-comp
command with the
enable
keyword
in group-policy
configuration mode. To disable IP compression, enter the
ip-comp
command with the
disable
keyword.
To remove the
ip-comp
attribute from the running configuration, enter the
no
form of this command.
This enables inheritance of a value from another group policy.
hostname(config-group-policy)#
no ip-comp
hostname(config-group-policy)#
Enabling data compression might speed up data transmission rates for remote dial-in users connecting
with modems.
Caution
Data compression increases the memory requirement and CPU usage for each user session and
consequently decreases the overall throughput of the security appliance. For this reason, we recommend
that you enable data compression only for remote users connecting with a modem. Design a group policy
specific to modem users, and enable compression only for them.
Step 3
Specify whether to require that users reauthenticate on IKE rekey by using the
re-xauth
command with
the
enable
keyword in group-policy configuration mode. If you enable reauthentication on IKE rekey,
the security appliance prompts the user to enter a username and password during initial Phase 1 IKE
negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication
provides additional security.
If the configured rekey interval is very short, users might find the repeated authorization requests
inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the
configured rekey interval, in monitoring mode, enter the
show crypto ipsec sa
command to view the
security association lifetime in seconds and lifetime in kilobytes of data. To disable user reauthentication
on IKE rekey, enter the
disable
keyword. Reauthentication on IKE rekey is disabled by default.
hostname(config-group-policy)#
re-xauth
{
enable | disable
}
hostname(config-group-policy)#
To enable inheritance of a value for reauthentication on IKE rekey from another group policy, remove
the re-xauth attribute from the running configuration by entering the
no
form of this command.
hostname(config-group-policy)#
no re-xauth
hostname(config-group-policy)#
Note
Reauthentication fails if there is no user at the other end of the connection.
Summary of Contents for 500 Series
Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Page 45: ...P A R T 1 Getting Started and General Information ...
Page 46: ......
Page 277: ...P A R T 2 Configuring the Firewall ...
Page 278: ......
Page 561: ...P A R T 3 Configuring VPN ...
Page 562: ......
Page 891: ...P A R T 4 System Administration ...
Page 892: ......
Page 975: ...P A R T 5 Reference ...
Page 976: ......