
12 User Management
VPN 3000 Concentrator Series User Guide
Some additional points to note:
Base-group parameters are the default, or system-wide, parameters.
A user can be a member of only one group.
Users who are not members of a specific group are, by default, members of the base group. Therefore,
to ensure maximum security and control, you should assign all users to appropriate groups, and you
should configure base-group parameters carefully.
You can change group parameters, thereby changing parameters for all its members at the same time.
You can delete a group, but when you do, all its members revert to the base group. Deleting a group,
however, does not delete its members user profiles.
You can override the base-group parameters when you configure groups and users, and give groups
and users more or fewer rights with this exception:
For PPTP and L2TP authentication protocols, you can allow specific groups and users to use fewer
protocols than the base group, but not more.
For all other parameters, groups and users rights can be greater than the base group. For example,
you can give a specific user 24-hour access to the VPN, but give the base group access during business
hours only.
To use both IPSec and L2TP over IPsec protocols for remote access, a user must be assigned to
different groups, since the IPSec parameters differ.
You apply filters to groups and users, and thus govern tunneled data traffic through the VPN
Concentrator. You also apply filters to network interfaces, and thus govern all data traffic through the
VPN Concentrator. See the
Configuration | Policy Management | Traffic Management screens.
We can supply a dictionary of Cisco-specific user and group parameters for external RADIUS
We recommend that you define groups when planning your VPN, and that you configure groups and
users on the VPN Concentrator in this order:
Base-group parameters.
Group parameters.
User parameters.
Before configuring groups and users, you should configure:
System policies: network lists, access hours, filters, rules, and IPSec security associations (see
Configuration | Policy Management).
Authentication servers, and specifically the internal authentication server (see
Configuration | System |