Individual Group Configuration Parameters | CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)

Recall that the second step after defining the base group's parameters is to create individual groups whose attributes vary from the base group. The majority of the options are identical to the base group, so for time's sake, this section demonstrates the specific differences between the two.

The first noticeable difference between both groups is the fact that you have to create the individual groups into the internal server, whereas the base group is established by default. In addition, the creation of these groups enables you to customize different properties, such as authentication and authorization methods, IP addressing, and bandwidth allotment per each group. The configuration of the individual groups, as well as their distinct attributes, begins at the Configuration | User Management | Groups screen (Figure 4.12).

Figure 4.12. Group Definition screen.

graphics/04fig12.gif

At the Groups screen, you are given the options to add a new group or modify or delete an existing group. In addition, the Cisco VPN 3000 Concentrator enables you to define external AAA servers, assignable IP address pools, client update notifications, and bandwidth policies on a group-by-group basis. This gives you more freedom to define group-specific parameters, as opposed to defining them on a system-wide basis in the Configuration | System sub-menus.

AAA Server Definition and Prioritization

When you define Authentication, Authorization, and Accounting servers for individual groups, the order in which you create the servers is important. The concentrator attempts the first server in the list. If it cannot be reached, it cycles through the remaining servers. If the backup AAA servers cannot be reached, it does not use the globally configured servers located in the Configuration | System | Servers menus. If you want the group to utilize the globally configured servers, do not add any servers in these screens. To prioritize a server, highlight the specific server by using the Move Up and Move Down buttons. You can also test authentication or authorization server connectivity by using the Test button on their respective screens.

Group Identity Tab

As soon as you specify to add or modify a group, the concentrator displays the Identity tab (Figure 4.13). The purpose of this screen is to add or modify the group name, in addition to create a preshared key in the password fields. On the bottom of this tab you select whether this is an internally defined group or a group that will be handled by an external server. If Internal is selected, the Internal server option is automatically added to the global authentication server list, if not already present.

Figure 4.13. Group Identity screen.

graphics/04fig13.gif

In the example, the remote user, Mr. Ed, is going to belong to an individual group called Not-So-Human Resources. On this Identity tab, the group name is defined and the password that serves as the preshared key is configured. This preshared key must be configured on Mr. Ed's client if he is to connect to the VPN 3000 Concentrator. When Mr. Ed attempts to connect to the headquarters, the concentrator and the client authenticate each other during IKE negotiations by using the preshared keys. If they match, then both sides continue tunnel negotiations.

Inherit Column

The remainder of the tabs are practically identical to the base groups. One key difference is the additional column of check boxes on every field. The Inherit check boxes are enabled by default, which specify whether you want to obtain the parameters for that specific field from the base group. If you want to change certain parameters (which is the point of the individual groups in the first place), be sure to uncheck the box because the Inherit check box overrides any values input into the fields.