Individual User Authentication
IUA causes the hosts on the remote protected network (behind the Easy VPN Remote device)
to be authenticated individually based on the IP address of the inside host. IUA supports
authentication based on both static and dynamic password mechanisms.
Similar to SUA, IUA is enabled by the VPN policy downloaded from the Easy VPN Server
and cannot be configured locally. When IUA is enabled, each user on the remote protected
network is prompted for a username and password when trying to initiate a connection to
the network protected by the Easy VPN Server. Unlike SUA, which requires an HTTP
connection to initiate the authentication request, when IUA is enabled the user will
automatically be prompted for authentication (to establish the tunnel) whenever any traffic
is sent across the tunnel.
A Security Appliance (serving as an Easy VPN Server) downloads the contact information
for the AAA server to the Easy VPN Remote device. The Easy VPN Remote device then sends
authentication requests directly to the AAA server.
NOTE You can also activate the connection by manually entering this URL into your
browser (on a remote protected host).
Point-to-Point Protocol over Ethernet and the Security Appliance 435
To enable IUA, you use the following command on the Easy VPN Server:
vpngroup groupname user-authentication
groupname is the alphanumeric identifier for the VPN group for which you want to
enable IUA.
You also must use the following command on the Easy VPN Server to specify the AAA server
to use for authentication:
vpngroup groupname authentication-server server-tag
The server-tag identifies the AAA server to use for the specified VPN group.
To specify the length of time that the VPN tunnel will remain open without any user activity,
you use the following command on the Easy VPN Server:
vpngroup groupname user-idle-timeout seconds
You specify the idle time for the specified VPN group in seconds.
Point-to-Point Protocol over Ethernet and the Security Appliance
Many Internet service providers (ISPs) deploy PPPoE because it provides high-speed
broadband access using their existing remote access infrastructure. PPPoE is also easy for
customers to use.
Figure 14-13 depicts a typical PPPoE network configuration that uses a Security Appliance
to secure a low-cost always-on Internet connection. The Security Appliance can secure
various broadband connections including the following:
■ Digital Subscriber Line (DSL)
■ Cable modem
■ Fixed wireless
NOTE A Cisco 3000 Series VPN Concentrator used as an Easy VPN Server performs
proxy authentication to the AAA server. The Easy VPN Remote device sends each
authentication request to the Cisco 3000 Series VPN Concentrator instead of directly to
the AAA server.