Cisco Cisco ASA 5555-X Adaptive Security Appliance - No Payload Encryption 發佈版本通知
5
Cisco ASA 5580 Series Release Notes Version 8.1(2)
OL-15086-02
New Features
hostname(config-webvpn)# csd enable
hostname(config-webvpn)#
New Features
Released: October 10, 2008
Table 2
lists the new features forASA Version 8.1(2). This ASA software version is only supported on
the ASA 5580.
Table 2
New Features for ASA Version 8.1(2)
Feature
Description
Remote Access Features
Auto Sign-On with
Smart Tunnels for IE
Smart Tunnels for IE
This feature lets you enable the replacement of logon credentials for WININET connections. Most
Microsoft applications use WININET, including Internet Explorer. Mozilla Firefox does not, so it
is not supported by this feature. It also supports HTTP-based authentication, therefore form-based
authentication does not work with this feature.
Microsoft applications use WININET, including Internet Explorer. Mozilla Firefox does not, so it
is not supported by this feature. It also supports HTTP-based authentication, therefore form-based
authentication does not work with this feature.
Credentials are statically associated to destination hosts, not services, so if initial credentials are
wrong, they cannot be dynamically corrected during runtime. Also, because of the association with
destinations hosts, providing support for an auto sign-on enabled host may not be desirable if you
want to deny access to some of the services on that host.
wrong, they cannot be dynamically corrected during runtime. Also, because of the association with
destinations hosts, providing support for an auto sign-on enabled host may not be desirable if you
want to deny access to some of the services on that host.
To configure a group auto sign-on for smart tunnels, you create a global list of auto sign-on sites,
then assign the list to group policies or user names. This feature is not supported with Dynamic
Access Policy.
then assign the list to group policies or user names. This feature is not supported with Dynamic
Access Policy.
Entrust Certificate
Provisioning
Provisioning
ASDM 6.1.3 (which lets you manage security appliances running Versions 8.0x and 8.1x) includes
a link to the Entrust website to apply for temporary (test) or discounted permanent SSL identity
certificates for your ASA.
a link to the Entrust website to apply for temporary (test) or discounted permanent SSL identity
certificates for your ASA.
Extended Time for User
Reauthentication on IKE
Rekey
Reauthentication on IKE
Rekey
You can configure the security appliance to give remote users more time to enter their credentials
on a Phase 1 SA rekey. Previously, when reauthenticate-on-rekey was configured for IKE tunnels
and a phase 1 rekey occurred, the security appliance prompted the user to authenticate and only
gave the user approximately 2 minutes to enter their credentials. If the user did not enter their
credentials in that 2 minute window, the tunnel would be terminated. With this new feature enabled,
users now have more time to enter credentials before the tunnel drops. The total amount of time is
the difference between the new Phase 1 SA being established, when the rekey actually takes place,
and the old Phase 1 SA expiring. With default Phase 1 rekey times set, the difference is roughly 3
hours, or about 15% of the rekey interval.
on a Phase 1 SA rekey. Previously, when reauthenticate-on-rekey was configured for IKE tunnels
and a phase 1 rekey occurred, the security appliance prompted the user to authenticate and only
gave the user approximately 2 minutes to enter their credentials. If the user did not enter their
credentials in that 2 minute window, the tunnel would be terminated. With this new feature enabled,
users now have more time to enter credentials before the tunnel drops. The total amount of time is
the difference between the new Phase 1 SA being established, when the rekey actually takes place,
and the old Phase 1 SA expiring. With default Phase 1 rekey times set, the difference is roughly 3
hours, or about 15% of the rekey interval.