CCNP Security VPN: Advanced Easy VPN Authorization

Date: Nov 12, 2012

This chapter enables you to prepare for the deployment of an advanced authorization scheme for your remote users, allowing you to control the level of access granted to them based on such information as their internal department, username, IP address, and so on, using the familiar local group policies that are configured on the ASA device.

This chapter covers the following subjects

Configuration Procedures, Deployment Strategies, and Information Gathering: This section covers what to consider when deciding whether to deploy an internal AAA server for authorization.
Configuring Local and Remote Group Policies: This section discusses the differences between ASA local and remote group policies and the configuration required on the ASA for the deployment of each.
Accounting Methods for Operational Information: This section reviews the accounting methods available on the ASA for connection and user information gathering.

In earlier chapters, you learned how to plan for and configure the various authentication mechanisms available on the Adaptive Security Appliance (ASA) to allow remote users access into your environment. Now that you have given them access, you need to control and account for it.

The information in this chapter will enable you to prepare for the deployment of an advanced authorization scheme for your remote users, allowing you to control the level of access granted to them based on such information as their internal department, username, IP address, and so on, using the familiar local group policies that are configured on the ASA device. This chapter also introduces you to remote group policies, their configuration on the ASA, and their remote server requirements.

After the various ways to authorize remote users into your environment has been explored, the discussion moves on to review the accounting methods available on the ASA device that enable you to track the success or failure of specific authorization settings and connections.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz helps you determine your level of knowledge on this chapter’s topics before you begin. Table 17-1 details the major topics discussed in this chapter and their corresponding quiz sections.

Table 17-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section	Questions
Configuring Local and Remote Group Policies	1,2,3,4
Accounting methods for Operational Information	5,6,7

Which of the following are available group policy types on the ASA? (Choose all that apply.)
1. Internal
2. External
3. Active
4. Standby
Which of the following are legitimate ways to assign a group policy? (Choose all that apply.)
1. DAP
2. Direct user assignment
3. Connection profile
4. AAA
In what format are the attributes stored in an external group policy?
1. Text files
2. A/V pairs
3. CSV files
4. XML files
Which of the following remote user types are external group policy objects available on? (Choose all that apply.)
1. LDAP
2. TACACS+
3. SDI
4. RADIUS
By default, where is ASA syslog information stored?
1. External syslog server
2. Internal syslog server
3. NetFlow collection service
4. ASA internal buffer
When configuring an AAA server on the ASA, which communication protocol when configured allows for secure (SSL/TLS) communication between the AAA server and the ASA?
1. UDP
2. SCEP
3. SMTP
4. TCP
Which of the following are available actions used for NetFlow flow information creation? (Choose all that apply.)
1. Created
2. Denied
3. Torn down
4. Dropped

Foundation Topics

Configuration Procedures, Deployment Strategies, and Information Gathering

The role of authorization in any virtual private network (VPN) deployment is an important one. With it, you can control which of your remote users can or cannot access corporate servers, email, financial and personnel records, and even the Internet. However, not only can you control the level of access each remote user has in your corporate environment, you can also control the user’s connection experience through maximum connection times, timeout settings, simultaneous logins, portal customization, and so on.

You can restrict or allow access to specific internal resources from remote users using the available policy options on the ASA device, whether you allow full access from all remote users to all of your internal resources (really not recommended) or, as shown in Figure 17-1, you provide remote users access to only the internal resources they require. (For example, Client A can access the corporate finance server and file server but not the corporate email server, but Client B can access the corporate email server and file server but not the corporate finance server.) Specifically, this chapter focuses on the role of group policies for user authorization purposes, and as you will see in the next section, you can assign IPv4 and IPv6 access lists in group policy objects that allow or deny access to internal servers for a particular group, access hours, maximum connection time, and so on.

Figure 17-1 ASA Authorizing (or Not) Remote Users

In addition to the available authorization attributes that can be applied by local group policies to remote users, you can extend the role of authorization to a remote (internal) authentication, authorization, and accounting (AAA) server. After the remote user has been authenticated, the remote AAA server is queried for the authorization attributes that should be applied to their session.

Configuring Local and Remote Group Policies

Via group policies, you can assign attributes to users and groups based on their individual user account, group membership, or the connection profile used to connect to the ASA device.

Using group policy objects, you can define the following user authorization settings (and many more, as discussed momentarily):

Set the maximum connection time applied to remote users before they are required to carry out the connection process and reauthenticate.
Control the number of simultaneous logins that can be made using the particular user account.
Restrict access only to the internal resources and subnets using IPv4 filters (access control lists [ACL]).
Define the networks used for split tunneling.
Control remote user access hours (the time they can and cannot log in).

Recall from the information shown in Chapter 2, “Configuring Policies, Inheritance, and Attributes,” covering group policies, you can configure two types of group policy objects. The location of the policy attributes contained in them dictates the type of policy it is:

Local group policies (also known as internal group policies) are policy objects that have been configured locally on the ASA along with the attributes they contain. They are assigned either to local users directly (local user accounts configured on the ASA) or in connection profiles.
Remote group policies (also known as external group policies) are applied either to remote users or groups. The attributes contained in a remote group policy are configured on a remote (typically internal) AAA server (for example, RADIUS or Lightweight Directory Access Protocol [LDAP]) in the form of attribute/value (A/V) pairs. However, the remote group policy container (name) must also be configured on the ASA device, even though authorization attributes are imported from the AAA server.

Local group policy and the remote group policy containers are both configured on the ASA using the group-policy name [internal | external] global configuration command via the command-line interface (CLI) or within Configuration > Remote Access VPN > Network (Client) Access > Group Policies if you have chosen to use the Adaptive Security Device Manager (ASDM) for configuration purposes. Within the ASDM, begin by clicking Add. Then, from the Add menu, choose either Internal Group Policy or External Group Policy. For this example, as shown in Figure 17-2, the Add External Group Policy option was selected.

Figure 17-2 External Group Policy Configuration

In the Add External Group Policy window, enter the following details:

Name: Enter a name for the group policy object. This is the actual username used by the ASA and configured within the RADIUS server’s database for authentication purposes between the ASA and the RADIUS server.
Server Group: Choose an existing AAA server group or create a new one.
Password: Enter a password to be used for authentication with the AAA servers. This is the password configured for the previously defined username also used for the group policy name.

The group policy object is then used as a container for the A/V attributes received from the internal AAA server. Example 17-1 displays the configuration of an external group policy object when working from the CLI.

Example 17-1 External Group Policy Object Configuration

CCNPSec# conf t
CCNPSec(config)# group-policy Remote_EzVPN_Policy external server-group
 RADIUS password security

If you want to create a new AAA server group instead of selecting an existing one, you can choose New > New RADIUS Server Group or New > New LDAP Server Group in the ASDM’s Add External Group Policy window. After choosing the appropriate server group type to create, enter the following information into the Add AAA Server Group window:

Server Group: Enter a name for the server group.
Protocol: Uneditable. This displays either RADIUS or LDAP depending on your chosen group.
Accounting Mode: Choose either Simultaneous (the ASA sends accounting data to all servers in the group) or Single (the ASA sends accounting data to only one server); this option is not available for LDAP server groups.
Reactivation Mode: Choose either Depletion (servers that have failed in the group are only reactivated when all other servers in the group are inactive) or Timed (failed servers are reactivated after 30 seconds). If you choose Depletion, you can also modify the dead timer (default 10 minutes), which is time that elapses between disabling the last server in the group and the reenabling of all servers.
Max Failed Attempts: Enter the maximum number of attempts that will be used to connect to a server configured in the server group until declaring it dead; the default is 3.
Enable Interim Accounting Update: Choose this option to enable multisession accounting for both AnyConnect and clientless Secure Sockets Layer (SSL) VPNs.
Enable Active Directory Agent mode: Not relevant for VPN configuration, but it is related to the identify firewall feature.
VPN3K Compatibility: Choose Do Not Merge (to disable merging of RADIUS downloadable ACLs with received A/V pair ACLs), Place the Downloadable ACL After the Cisco AV Pair ACL, or Place the Downloadable ACL Before the Cisco AV Pair ACL.

After creating your new AAA server group, you then need to add AAA servers to it in the AAA Server Groups window (Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups), as shown in Figure 17-3. Note that for this configuration to be fully usable and valid, configurations on the remote LDAP or RADIUS servers need to be performed. (LDAP and RADIUS configuration is beyond the scope of this book.)

Figure 17-3 AAA Server Configuration

Example 17-2 displays the commands required to create a new AAA server group and add a new external server to the group.

Example 17-2 Creating a New AAA Server Group and Adding an External Radius Server

CCNPSec# !!First create your new AAA server group ready to add your exter
 nal AAA server!!
CCNPSec# conf t
CCNPSec(config)# aaa-server RADIUS protocol radius
CCNPSec(config-aaa-server-group)# !!Now enter the details of your AAA
 server and add it to the new group!!
CCNPSec(config-aaa-server-group)# exit
CCNPSec(config)# aaa-server RADIUS (outside) host 172.30.255.5
CCNPSec(config-aaa-server-host)# key security
CCNPSec(config-aaa-server-host)# radius-common-pw security

When creating a new internal group policy object using the CLI, use the global configuration command group-policy name internal from name. The from name options available with the command are optional enable you to specify an existing group policy object that can be used as a template and its settings copied from. After you create the group policy object, you can enter the group-policy name attributes to set any specific attributes required using the commands shown in Table 17-2 in group policy attributes configuration mode.

When using the ASDM, click Add > Add Internal Group Policy to open the Add Internal Group Policy window, shown in Figure 17-4. As you can see, many more options are available for this configuration, because all attributes of the group policy are configured and stored on the ASA. Begin by giving the policy a name, which is the only mandatory attribute required when configuring a new policy. All other attributes are by default inherited from the default group policy object (DfltGrpPolicy).

Table 17-2 lists the General window fields and values that you can use to configure the remaining general attributes you want to set explicitly. In addition, the table includes the corresponding CLI commands in case you have chosen to configure your ASA using the CLI. Note that before configuration is possible, you must uncheck the respective field’s Inherit option. However, you do not have to do so when you are using the CLI to configure the attributes; as soon as you configure a setting, the default inheritance is overridden.

Figure 17-4 Internal Group Policy Configuration

Table 17-2 Internal Group Policy Attributes

Field	CLI Commands	Value
Banner	banner value enter up to 500 characters	Enter a banner that will be displayed to users as they attempt to connect to the VPN.
SCEP Forwarding URL	scep-forwarding-url value url	Enter the URL that users of this group policy will use to automatically request digital certificates (if using certificate-based authentication).
Address Pools	address-pools value enter up to 6 address pools separated by a space	Choose an IP address pool from the list. An IP address will be assigned to users for use during their connection.
IPv6 Address Pools	ipv6-address-pools value enter up to 6 address pools separated by a space	Select an IPv6 address pool from the list. An IP address will be assigned to users for use during their connection.
Tunneling Protocols	vpn-tunnel-protocol [ikevl \| ikev2 \| l2tpipsec \| ssl-client \| sslclientless]	Choose from the available tunneling protocols that this group policy object will apply to.
IPv4 Filter	vpn-filter value aclname	Select an IPv4 ACL from the list to restrict network access during the user’s connection to only the networks/hosts the user requires.
IPv6 Filter	ipv6-vpn-filter value ipv6 acl name	Choose an IPv6 ACL from the list to restrict network access during the user’s connection to only the networks/hosts the user requires.
NAC Policy	nac-policy policy name	Select a Network Access Control (NAC) policy from the list of those configured. The NAC policy is used to perform posture assessment and validation for the connecting user.
Access Hours	vpn-access-hours value time-range name	Choose a time range from those previously configured if you only allow access to this connection during specific times (for example, regular business hours).
Simultaneous Logins	vpn-simultaneous-logins 0-2147483647	Enter the number of simultaneous logins that can appear for this user account. (The default is 3.) A value of 0 prevents any logins from occurring, and remote users are unable to gain VPN access.
Restrict Access to VLAN (5505 Only)	vlan vlan id	Choose the only VLAN (Inside, Outside, DMZ) you will allow this connecting user access to. The default value is None.
Connection Profile (Tunnel Group) Lock	group-lock value connection profile	Choose the connection profile from the list. This group policy object will only be assigned to the selected connection profile. This setting basically makes the group policy usable only by a certain connection profile.
Maximum Connect Time	vpn-session-timeout {none \| 1-4473924}	Choose either Unlimited or enter the number of minutes the user is allowed to be connected before being automatically disconnected. (The default is Unlimited or None.)
Idle Timeout	vpn-idle-timeout {none \| 1-35791394}	Choose either Unlimited (value of None) or enter the number of minutes the user’s connection can be idle before being automatically disconnected. (The default is 30 minutes.)
On Smart Card Removal	smartcard-removal-disconnect [enable \| disable]	Choose the option to either keep the user’s connection connected or disconnect the connection upon the user removing her smart card.

After setting the specific general attributes required in your local group policy, you can assign the policy either directly to a local user account or globally to all users of a connection in the connection profile’s properties.

Assigning a Group Policy to a Local User Account

Begin this task by entering the user attributes configuration mode using the username- name attributes global configuration command. Within this mode, you can apply the group policy using the vpn-group-policy policy name command, as shown in Example 17-3.

Example 17-3 Assigning a Group Policy Directly to a User

CCNPSec# conf t
CCNPSec(config)# username EzUser1 attributes
CCNPSec(config-username)# vpn-group-policy EasyVPN

When using the ASDM, start by opening your user’s account properties in Configuration > Remote Access VPN > AAA/Local Users > User Accounts. In the User Accounts window, choose the local user account to apply the group policy object to and click Edit.

As shown in Figure 17-5, in the Edit User Account window that opens, we choose VPN Policy from the menu on the left and uncheck the Inherit check box next to the Group Policy section. Using the drop-down list, we then choose the group policy object we want applied to the user account.

Figure 17-5 Assigning a Group Policy Directly to a User

Assigning a Group Policy to a Connection Profile

You can assign a group policy object to a connection profile using the CLI of ASDM. Via the CLI, issue the default-group-policy policy name command within tunnel-group general-attributes configuration mode. Alternatively, open the ASDM connection profile properties window by navigating to Configuration > Remote Access VPN > Network (Client) Access > IPsec (IKEv1) Connection Profiles. Select the connection profile to assign the group policy object to from the list and click Edit.

In the Edit IPsec Remote Access Connection Profile Name window, use the drop-down list in the Default Group Policy section of the window to select the group policy object to be applied, as shown in Figure 17-6.

Figure 17-6 Assigning a Group Policy to a Connection Profile

In addition to the more general properties that you can assign using a group policy object, you can assign advanced properties (for example, split-tunneling exceptions and rules).

The configuration in Figure 17-7 shows the split-tunneling properties located in the Advanced > Split Tunneling section of the Edit Internal Group Policy - Name window.

Figure 17-7 Group Policy Split-Tunneling Configuration

For this example, the domain name vpn.lab has been added as a Domain Name System (DNS) name, indicating to the Easy VPN clients that any requests for DNS information for hosts in this domain should be tunneled (for example, secretfiles.vpn.lab). In addition to the configuration of DNS names, the option to tunnel only the list specified in the preconfigured ACL Internal_Servers by using the Policy and Network List fields has been configured. Example 17-4 displays the same configuration achieved via the CLI.

Example 17-4 Configuring Split Tunneling

CCNPSec# conf t
CCNPSec(config)# group-policy Internal-EzVPN-POLICY attributes
CCNPSec(config-group-policy)# split-tunnel-policy tunnelspecified
CCNPSec(config-group-policy)# split-tunnel-network-list value Internal_
 Servers
CCNPSec(config-group-policy)# default-domain value VPN.LAB

The configuration shown in Figure 17-7 and Example 17-4 results in DNS requests for devices in the domain name vpn.lab, or traffic matching that of the ACL Internal_Servers, to be sent by Easy VPN clients through the VPN tunnel to the ASA and on to the corporate network. All other traffic (for example, the remote user device’s LAN or Internet data) travels directly to the destination rather than through the VPN tunnel.

Accounting Methods for Operational Information

You have at your disposal the following logging mechanisms on the ASA to monitor remote user activity and connection state:

Syslog
NetFlow 9
RADIUS accounting
Simple Network Management Protocol (SNMP)

Syslog can provide a large amount of information for statistics-based analysis or information regarding the current ASA’s health and the status of our remote connections. In addition to being able to send syslog (debugging, informational, and so on) information to remote servers for offline inspection, you can choose to store it in a local buffer on the ASA for later viewing when working on the device.

Figure 17-8 shows the ASDM’s Logging Setup window available via Configuration > Device Management > Logging > Logging Setup. To enable logging, just check the Enable Logging check box. You can also optionally include debugging information when troubleshooting a feature/error on the ASA by checking the Send Debug Messages as Syslogs check box.

Figure 17-8 Enable Logging in the ASDM and Specify Location

In the Logging Setup window, you can also enable logging on the failover device if you are running two ASAs in a hardware failover pair, and you can select to send your syslog information in EMBLEM format. (This is required if you are running CiscoWorks software as applications. For example, RME [Resource Manager Essentials] processes syslog information in EMBLEM format.) In addition to these options, in the Logging to Internal Buffer section of the window, you can increase or decrease the size of the internal buffer used to store the logging information (default is 4096 bytes) on the ASA. The internal buffer is a rolling log, meaning as soon as it becomes full, any new information starts to overwrite the older information in the buffer. For example, if your ASA device is logging a large amount of information while you are trying to troubleshoot an error, it is worthwhile to increase the size of the logging buffer to prevent the information you might require being overwritten before you have had a chance to look at it. In this section, you can also configure the ASA to store the buffer information in a file on the ASA’s flash device or upload it to an FTP server when it reaches a specific size. This can also prevent your valuable log information from being overwritten. In the final section of the window, you can select the amount of information that is written to the ASDM log viewer (visible on the home page). The default is 100 messages.

After you have enabled logging on the ASA device, you can navigate to Configuration > Device Management > Logging > Syslog Servers and configure the remote servers to which the ASA will send its generated syslogs.

Figure 17-9 shows the Syslog Servers window and the Add Syslog Server window that opens when you click Add. In the Add Syslog Server window, select the interface your server is available on, enter the IP address of the server, and select either TCP or UDP (default) and the port (514 by default). In addition, you can check to enable the option Log Messages in Cisco EMBLEM Format (UDP only) or the option to Enable Secure Syslog Using SSL/TLS (Secure Sockets Layer/Transport Layer Security). (This latter option is available only when using TCP for communications between the ASA and server.)

Figure 17-9 Creating a New Syslog Entry

After you have entered your syslog servers, you need to then specify the level of logging information that will be sent to our syslog server. In Configuration > Device Management > Logging > Logging Filters, you can choose from the following:

Emergencies
Alerts
Critical
Errors
Warnings
Notifications
Informational
Debugging

As shown in Figure 17-10, you can choose the level of logging per function on the ASA. For example, you might want to send informational messages to the console but debugging information to the ASA’s internal buffer.

Figure 17-10 Choose the Logging Level per Function

And that’s it! Well... not quite. At the moment, enough options have been selected and enough information entered for the ASA to be able to log to the internal buffer, syslog, and servers. Now you can start to get really granular with the control you have over syslog information. For example, if you are interested in only a particular log message or set of messages, you can create a filter in the Event Lists window. After creating a filter, you can select this in the Logging Filters window instead of selecting a predefined logging level.

You can optionally rate limit the number of log messages sent per second per logging level, or even per log message, in the Rate Limit window. You can set up a dedicated facility per logging level, if you want to view or filter the different logging levels easily on our syslog server. And in the E-Mail Setup and SMTP windows, you can set up the parameters and options used to send syslog information to a recipient via email.

The process of configuring logging on your ASA when working from the CLI is, as you can imagine, a lot faster because you do not have to open and close all the different windows or check on uncheck any of the options. However, which method you choose to use to configure your ASA is up to you, although for the exam it is a good idea to have an understanding of the various CLI commands that are available and their corresponding ASDM locations and values.

For example, to enable informational logging to the local buffer of the ASA, you can enter the following commands in enable mode:

logging buffered informational
logging enable

For logging to become operational, the latter command must be issued.

Similarly, to set up logging to an external server, you can enter the following enable mode commands:

logging trap informational
logging host [nameif] {hostname | ip address} port [format emblem]

Again, you can use the format emblem keywords along with the command to enable the use of the EMBLEM format when working with a supported RADIUS server. When configuring logging to a destination or the local buffer, the same logging levels are available (for example, notifications, emergencies, debugging) as shown in Example 17-5. You have the choice of either entering the name of the level (for example, informational) or the corresponding severity level (6); both achieve the same result.

Example 17-5 Available CLI Logging Severities

CCNPSec(config)# logging buffered ? 

configure mode commands/options:
  <0-7>          Enter syslog level (0 - 7)
  WORD           Specify the name of logging list
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings      Warning conditions                 (severity=4)

You can view logging information held in the ASA’s internal buffer in Monitoring > Logging > Log Buffer. Alternatively, you can enter the show logging command when using the CLI. Choose the logging level you are interested in viewing and click View. Figure 17-11 shows an example of the log buffer contents in the internal logging buffer viewed using the ASDM.

Figure 17-11 ASA Internal Log Buffer

NetFlow 9

With NetFlow logging, you can view information on a flow-by-flow basis based on Layer 3 and Layer 4 information of a conversation. Unlike sending information to a collector in tuple format (which can lead to limitations in the amount of information sent in any one packet, like its predecessor NetFlow 5), NetFlow 9 uses a template-based method of transferring information to a server running the NetFlow collector service. The template is sent to the server at specific intervals (30 minutes) and is used to format the information it receives from the ASA.

The ASA can send NetFlow 9 information to a server running the NetFlow 9 collector service (all other versions are incompatible) based on the following packet-flow actions occurring:

Created
Denied (excluding flows denied by Ethertype ACLs).
Torn down

Figure 17-12 shows the configuration of NetFlow on the ASA device using the ASDM.

Figure 17-12 ASA NetFlow Configuration

In the NetFlow window (Configuration > Device Management > Logging > NetFlow), you can enter a value in minutes for the interval used to send the Version 9 template to the collection service running on your remote server (default 30). Optionally, you can choose to delay the sending of flow-creation events by a specific time you enter in seconds (which can help minimize the amount of information sent at any one time if, for example, a lot of flows are created at once on the ASA device). You also enter your flow collector’s (server) IP address, the interface they are available on, and the UDP port that will be used for the communication of NetFlow information to them. After entering this information, you can then specify the type of event for which NetFlow information is sent to the servers. As shown in Figure 17-12, three events can cause the information to be sent. You can specify the event using a service policy that, if you recall from earlier chapters, you have already seen when used to create quality of service (QoS) policies on the ASA.

However, unlike QoS policies, NetFlow policies can be applied only globally, not per interface. By default, the ASA has an existing default service policy that is applied globally to the ASA. However, you cannot edit this in the ASDM, so you must create a new global service policy and either use an access list to define the IP addresses for which your NetFlow flow information will be generated or use the class-default class of your policy.

To configure NetFlow via the CLI, enter flow-export option global configuration command (with the exception of service policy configuration, which is shown in a moment). Table 17-3 lists the options/values available for this command. Notice how these are also the same options that are available when using the ASDM.

Table 17-3 flow-export CLI Commands

CLI Commands	Value
flow-export delay flow-create 1-180	Enter the delay in seconds between 1 and 180 after which flow creation information will be exported.
flow-export destination [nameif] {hostname \| ip address} port	Enter the interface, hostname/IP address, and optionally a port that will be used to export information to a destination host.
flow-export template timeout-rate 1-3600	Enter the time in minutes (default 30) that template information will be re-sent.

In this example, a new global service policy is created using the class-default class to match all traffic for NetFlow flow information. Begin by opening the service policy in the ASDM Service Policy Rules window (Configuration > Firewall > Service Policy Rules) and clicking Add. Then choose Add Service Policy Rule. In the Add Service Policy Rule Wizard - Service Policy window, choose Global - Applies to All Interfaces and click Next.

On the next screen, Add Service Policy Rule Wizard - Traffic Classification Wizard, choose the Use Class-Default as the Traffic Class and click Next.

Then, in the Add Service Policy Rule Wizard - Rule Actions window, open the NetFlow tab. On this tab, click Add. In the new Add Flow Event window that opens, shown in Figure 17-13, choose the event that will trigger the sending of NetFlow information from the Flow Event Type drop-down box and check the box next to the host for which you want to enable this rule. Finally, click OK and Finish to apply the new rule.

Figure 17-13 ASA NetFlow Service Policy Configuration

Example 17-6 displays the same configuration as the earlier ASDM example, but this time configured using the CLI.

Example 17-6 NetFlow Export Configuration

CCNPSec(config)# flow-export destination inside 192.168.1.100 5010
CCNPSec(config)# policy-map global_policy
CCNPSec(config-pmap)# class class-default
CCNPSec(config-pmap-c)# flow-export event-type flow-create destination 192.168.1.100

RADIUS VPN Accounting

You can enable RADIUS accounting information so that your support representatives can interrogate the RADIUS logging information to see whether a VPN connection has succeeded or failed (and if failed, why).

To enable RADIUS accounting in a connection profile, as shown in Figure 17-14, navigate to Configuration > Remote Access VPN > Network (Client) Access > IPsec (IKEv1) Connection Profiles. Choose your connection profile from the list and click Edit. In the Edit IPsec Remote Access Connection Profile: Name window, choose Advanced > Accounting from the menu on the left. In the Accounting window, from the drop-down list choose the RADIUS server group that contains the RADIUS servers to which the ASA will be sending its accounting information. You can also create a new server group by clicking Manage if no groups are currently available.

Figure 17-14 IKEv1 Connection Profile RADIUS Accounting Configuration

The CLI configuration is just as simple. You configure the accounting servers within the now familiar tunnel-group general-attributes configuration mode with accounting-server-group name, as shown in Example 17-7.

Example 17-7 Connection Profile Accounting Server Configuration

CCNPSec(config)# tunnel-group DefaultRAGroup general-attributes
CCNPSec(config-tunnel-general)# accounting-server-group RADIUS

After configuring RADIUS accounting servers in a connection profile, you can inspect the received RADIUS accounting information on your RADIUS server implementation using the various logging options that are available.

SNMP

The ASA can support access for device and statistical interrogation using SNMP Version 1, Version 2c, and Version 3. Many texts and books already explain the differences between these versions, so to save you from reading it all again, this discussion assumes that you know enough about SNMP already to have made the decision that if Version 3 is available on a device, you use Version 3 to access it.

You configure the various SNMP options (traps, location, global community string, and hosts) in Configuration > Device Management > Management Access > SNMP, as shown in Figure 17-15.

Figure 17-15 ASA SNMP Configuration

In the SNMP window, you can configure all the familiar options for the protocol, such as the community string, contact, location, and listening port (UDP 161 by default). You can configure the criteria for trap information to be sent by clicking Configure Traps and choosing from the available options in the SNMP Trap Configuration window that opens.

In addition, in the SNMP window, in the SNMP Host Access List section, you can explicitly enter the addresses of your servers that will be accessing your ASA device. You can also create the users and groups that will be used for SNMPv3 access in the SNMPv3 Users section of the window.

To configure SNMP hosts, options, and attributes via the CLI, enter the snmp-server option global configuration mode command. Table 17-4 describes the configuration options you have for this command. Note that these are the same as those available within the ASDM SNMP window shown earlier in Figure 17-15.

Table 17-4 snmp-server CLI Commands

CLI Commands	Value
snmp-server community string	Enter the community string used for authentication with SNMP versions earlier than Version 3.
snmp-server contact value	Enter the contact information that will be held within the SNMP MIB object sysContact.
snmp-server enable traps option	Enter the trap option that will enable the appropriate amount and detail of information you require to be sent to the SNMP server. The available options are as follows:
	all—Enable all traps.
	connection-limit-reached—Enable connection limit traps.
	cpu—Enable CPU utilization-related traps.
	entity—Enable ENTITY MIB notifications.
	ikev2—Enable IKEv2 traps.
	interface-threshold—Enable interface threshold reached traps.
	ipsec—Enable IPSec traps.
	memory-threshold—Enable memory threshold reached traps.
	nat—Enable Network Address Translation (NAT)-related traps.
	remote-access—Enable remote-access traps.
	snmp—Enable SNMP traps.
	syslog—Enable syslog traps.
snmp-server group name v3 [auth \| priv \| noauth]	Enter this command to configure a group for use with Version 3 servers and the purposes of authentication (auth) or encryption (priv) of SNMP information.
snmp-server host [nameif] hostname/ip address [community value] [udp-port port] [poll] [trap] [version 1 \| 2c \| 3]	Use this command to enter the location, hostname/IP address and port number of an SNMP server used to send SNMP information to/from the ASA. You can also optionally enter a community value and SNMP version, and you can use the trap keyword to send traps to only the specified host or use the poll keyword to allow polling to occur only from this host.
snmp-server listen-port value snmp-server location value	Enter the port that will be used by the local SNMP engine on the ASA to listen for incoming SNMP requests (default 161). Use this command to enter the value for the MIB object sysLocation (for example, Floor1East).
snmp-server user username groupname v3 [auth {md5 \| sha} password] [priv des \| 3des \| aes {256 \| 192 \| 128} password]	Use this command to create a local SNMP user account for use with Version 3. Note that you must first configure the group the user will belong to on the ASA by entering the snmp-server group name command.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a few choices for exam preparation: Chapter 22, “Final Exam Preparation,” Appendix C, “Memory Tables” (CD only), and the exam simulation questions on the CD.

Review All Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 17-5 lists a reference of these key topics and the page numbers on which each is found.

Table 17-5 Key Topics

Key Topic Element	Description	Page
Bulleted list	Group policy types	627
Subtopic	Assigning a group policy to a user account	633
Subtopic	Assigning a group policy to a connection profile	634
Bulleted list	Available accounting methods	636
Bulleted list	Available logging levels	638
Bulleted list	NetFlow flow-creation actions	641

Complete Tables and Lists from Memory

Print a copy of Appendix C, “Memory Tables” (found on the CD), or at least the section for this chapter, and complete the tables and lists from memory. Appendix D, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

external group policy, internal group policy, NetFlow, SNMP (Simple Network Management Protocol)