11
Release Notes for the Cisco ASA 5500 Series, Version 8.2(x)
OL-18971-02
New Features
Pre-fill Username from
Certificate
The pre-fill username feature enables the use of a username extracted from a certificate for
username/password authentication. With this feature enabled, the username is “pre-filled” on the
login screen, with the user being prompted only for the password. To use this feature, you must
configure both the pre-fill username and the username-from-certificate commands in
tunnel-group configuration mode.
The double-authentication feature is compatible with the pre-fill username feature, as the pre-fill
username feature can support extracting a primary username and a secondary username from the
certificate to serve as the usernames for double authentication when two usernames are required.
When configuring the pre-fill username feature for double authentication, the administrator uses
the following new tunnel-group general-attributes configuration mode commands:
• secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect
client connection.
• secondary-username-from-certificate—Allows for extraction of a few standard DN fields
from a certificate for use as a username.
Double Authentication The double authentication feature implements two-factor authentication for remote access to the
network, in accordance with the Payment Card Industry Standards Council Data Security Standard.
This feature requires that the user enter two separate sets of login credentials at the login page. For
example, the primary authentication might be a one-time password, and the secondary
authentication might be a domain (Active Directory) credential. If either authentication fails, the
connection is denied.
Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The
AnyConnect client supports double authentication on Windows computers (including supported
Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The
IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication,
and management authentication do not support double authentication.
Double authentication requires the following new tunnel-group general-attributes configuration
mode commands:
• secondary-authentication-server-group—Specifies the secondary AAA server group, which
cannot be an SDI server group.
• secondary-username-from-certificate—Allows for extraction of a few standard DN fields
from a certificate for use as a username.
• secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect
client connection.
• authentication-attr-from-server—Specifies which authentication server authorization
attributes are applied to the connection.
• authenticated-session-username—Specifies which authentication username is associated
with the session.
Note The RSA/SDI authentication server type cannot be used as the secondary
username/password credential. It can only be used for primary authentication.
Table 4 New Features for ASA Version 8.2(1) (continued)
Feature Description
(4 pages)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals