Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series, Administration Manual

Page: 253 / 861

252 Limiting user access
Configuring user groups for internal and external authentication
Creating the pkimpuser import file
To import data correctly using the Import Users feature, you must store your user information in a file
called pkimpuser in the following format:
Where:
* Although Bellcore S/Key authentication is no longer used, the enable s/key and s/key password fields
are still required as part of the pkimpuser file.
A sample pkimpuser file might look like:
<username> <password type> <password> <group> <enable skey> <skey password> <phase 1 ID> <shared>>
Table 7-1
Pkimpuser fields
Field name Description
username The user name that the import process will create or match to a security gateway user.
password type The password type.
This entry indicates how the gateway password is interpreted: as clear text or encrypted. If you
type unchange, the user password remains the same and the password field is ignored. You can
also type none, which means that the user cannot log in using a gateway password.
Valid entries for this field are plaintext, crypt, unchange, or none.
password The security gateway password.
group The name of the group in with which the user is associated. If there is more than one group,
enclose the list in brackets.
enable skey * Valid entries for this field are as follows:
■
Click Y to enable S/Key for the user.
■
Click N to disable S/Key authentication for the user.
■
Click U to leave the S/Key setting unmodified for the user.
If Y is selected, a password must be entered in the SKey password field.
skey password * Type the S/Key password in plaintext enclosed in braces. It must be at least 10 characters. If
there is no password, type empty braces here. For example: { }
phase 1 ID This entry is required for phase 1 IKE tunnel negotiations if this user is acting as a remote
endpoint for an IKE secure tunnel. Generally, this value is the same as the username. This field
is only used if the VPN Client is IKE-compliant.
shared When a user is acting as a remote endpoint for a VPN, that user can optionally have a Shared
secret
value for tunnel negotiations with the local security gateway. When you do not type a
shared key, the global IKE policy shared key is used.
Although a shared key is optional, this field must contain a value for the shared key. If there is
no shared key, type double brackets {} to denote that the shared key is blank.
jondoe plaintext drawbridge Development Y {haq114021999} jondoe {paqo123uiui9uu9i}
jondoe1 none 0123456789 marketing Y {haq114012345} jondoe1 {paqo123uiui9uu9i}
jondoe2 unchange ABCDabcd12!! QA Y {abcdefgh021999} jondoe2 {paqo123uiui9uu9i}
jondoe3 plaintext .adflJ12asdfkajdflajd engineering Y {djadhlgjadlgah21999} jondoe3 {paqo123uiui9uu9i}
jondoe4 crypt Basdendms!@#234 info-dev Y {dkaglkdj1385713dkhglaj999} jondoe4 {paqo123uiui9uu9i}
jondoe5 crypt oscar!) principal Y {kdjdlajhaelhlagav12} jondoe5 {paqo123uiui9uu9i}
jondoe6 crypt undecdied09dkds QA Y {haq114021999} jondoe6 {paqo123uiui9uu9i}