The group lock feature, introduced in Cisco IOS 12.2(13)T, allows you to perform an extra authentication check during Xauth. With this feature enabled, the user must enter a username, group name, and user password during Xauth to authenticate. The username and group name can be entered in any of the following formats: "username/group name," "username\group name," "username%group name," or "username group name." The server compares the group name entered during Xauth with the group name sent for preshared key device authentication. If they do not match, the server denies the connection. To enable this feature, use the group-lock command for the group.
Cisco software does not strip the @group from the Xauth username, so the username user@group must exist in the local or external AAA database pointed to by the Internet Security Association Key Management Protocol (ISAKMP) profile selected at Phase 1 (machine group authentication).
Do not use the Group-Lock attribute if you are using RSA signature authentication mechanisms such as certificates. Use the User-VPN-Group attribute instead. The User-VPN-Group attribute is recommended regardless of whether preshared keys or the RSA signature is used as the method of authentication when an external AAA database is used.
Community Live Slides- How to optimize your Cisco Security investments with Threat Response
(Live event - formerly known as Webcast- Tuesday February 18, 2020 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
This event will have place on Tuesday 18th, ...
This topic is a chance to clarify your questions about Cisco Threat Response, from its components and new features to the resources to get started. During the session, the Threat Response team will answer questions about how Cisco Threat Response can...
I have a question about FMC supports to Azure Multi-Factor Authentication. I think FMC supports RSA and Duo Two-Factor Authentication, but didn't find any valid source if it could work with Azure as well. Best,
1 trying to figure out if there is a known upper limit to the number of MACs that can be added to the ISE database for MAC auth bypass2 Would the customer see a performance hit as the near they MAC limit?
I have firepower on my asa 5506-x,I have the Firepower Management Center working and recognizing the ASAIf I go to Devices>Device Management>(my device) and then choose troubleshoot, and then go to advance troubleshooting, I only get file download. ...