Chapter 4 Infrastructure and integration 37
•
Username with password
•
RSA SecurID
•
CRYPTOCard
Authentication groups
The Cisco Unity protocol uses authentication groups to group users based on a common set
of parameters. You should create an authentication group for iOS users. For pre-shared key and
hybrid authentication, the group name must be congured on the device with the group’s
shared secret (pre-shared key) as the group password.
When using certicate authentication, there’s no shared secret. A user’s group is determined
from elds in the certicate. The Cisco server settings can be used to map elds in a certicate to
user groups.
RSA-Sig must be the highest priority on the ISAKMP priority list.
Certicates
When you set up and install certicates:
•
The server identity certicate must contain the server’s DNS name or IP address in the
SubjectAltName eld. The device uses this information to verify that the certicate belongs to
the server. For more exibility, you can specify the SubjectAltName using wildcard characters
for per-segment matching, such as vpn.*.mycompany.com. If no SubjectAltName is specied,
you can put the DNS name in the common name eld.
•
The certicate of the CA that signed the server’s certicate needs to be installed on the device.
If it isn’t a root certicate, install the rest of the trust chain so that the certicate is trusted.
If you use client certicates, make sure the trusted CA certicate that signed the client’s
certicate is installed on the VPN server. When using certicate-based authentication, make
sure the server is set up to identify the user’s group, based on elds in the client certicate.
Important: The certicates and certicate authorities must be valid (for example, not expired).
Sending of certicate chain by the server isn’t supported.
IPSec settings and descriptions
IPSec has various settings that you can use to dene how it will be implemented:
•
Mode: Tunnel mode.
•
IKE Exchange Modes: Aggressive Mode for pre-shared key and hybrid authentication or Main
Mode for certicate authentication.
•
Encryption Algorithms: 3DES, AES-128, or AES256.
•
Authentication Algorithms: HMAC-MD5 or HMAC-SHA1.
•
Die-Hellman Groups: Group 2 is required for pre-shared key and hybrid authentication.
Group 2 with 3DES and AES-128 for certicate authentication. Group 2 or 5 with AES-256.
•
PFS (Perfect Forward Secrecy): IKE phase 2, if PFS is used, the Die-Hellman group must be the
same as was used for IKE phase 1.
•
Mode Conguration: Must be enabled.
•
Dead Peer Detection: Recommended.
•
Standard NAT Traversal: Supported and can be enabled (IPSec over TCP isn’t supported).
•
Load Balancing: Supported and can be enabled.
•
Rekeying of Phase 1: Not currently supported. It’s recommend that rekeying times on the
server be set to one hour.
100% resize factor
