Setting Group and User Defaults

Setting Group and User Defaults

While modifying the Base Group default settings isn’t absolutely necessary, Cisco’s default setting might not match the network or company security policy. The Configuration | User Management | Base Group screen shows a series of tabs—currently six—that can be used to define default settings for the various users (clients). Figure 14-21 shows the default settings for the General tab, which applies to all groups and users.

Figure 14-21: General Default Settings tab

Most of the options are self-explanatory and the Help system provides enough information, including default values, in most cases to make intelligent choices. Remember, most of these options might be moot because of specific group and user settings, as well as limitations imposed by the local client device. The following options are included as examples or to show interesting features:

• Access Hours—Drop-down menu button to select the hours remote access users can access the VPN Concentrator. The default entries are as follows:

  • No Restrictions—No restrictions on access hours.

  • Never—No access at any time.

  • Business Hours—Access 9 A.M. to 5 P.M., Monday through Friday. To configure access hours, use the Configuration | Policy Management | Access Hours screen. Any additional named access hours you create will appear on the list.

• Simultaneous Logins—For a single internal user. Default is 3. Minimum is 0, which disables login and prevents user access. No maximum limit.

• Minimum Password Length—Default is 8. Minimum is 1. Maximum is 32.

• Idle Timeout—Default is 30 minutes. Minimum is one minute. Maximum is 2,147,483,647 minutes (4,000+ years). Use 0 to disable timeout and allow an unlimited idle period.

• Maximum Connect Time—Default is 0 minutes, which allows unlimited connection time. Minimum is one minute. Maximum is 2,147,483,647 minutes (4,000+ years).

• SEP Card Assignment—The VPN Concentrator models 3015 and above can contain up to four SEP modules to handle encryption. This parameter allows configuring the load on each SEP module.

• Tunneling Protocols—Protocols to be supported. Clients can use only the selected protocols. The choices include the following:

  • PPTP—Point-to-Point Tunneling Protocol. Checked by default. A client-server protocol popular with Microsoft clients, especially older OS versions.

  • L2TP—Layer 2 Tunneling Protocol. Checked by default. A client-server protocol that combines many features from PPTP and L2F (Layer 2 Forwarding).

  • IPSec—IP Security Protocol. Checked by default. Used by both LAN-to-LAN (peer-to-peer) connections and client-to-LAN (remote access) connections. Cisco VPN Client is an IPSec client specifically designed to work with the VPN Concentrator.

  • L2TP over IPSec—L2TP using IPSec for security. Unchecked by default. A client-server protocol providing interoperability with Windows 2000 VPN clients. L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer.