https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271412#M135993 <HTML><HEAD></HEAD><BODY><P>So basically, you have to use authorization as well as authentication instead of just authentication?</P><P></P><P>Thanks,</P><P></P><P>Alex</P></BODY></HTML> Thu, 13 Jun 2013 11:21:50 GMT Alex Pfeil 2013-06-13T11:21:50Z https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271410#M135982 <P>I have some administators that log into switches and some end-users that need to be able to authenticate to a VPN.&nbsp; I am running ACS5.2.&nbsp; How can I setup Authentication on the ACS so that an ASA 5520 will authenticate the users to a VPN, but will not authenticate the administrators.</P><P></P><P>I logged into the VPN session using an administrator account that is not a member of the user group.</P><P></P><P>I would think that it would be easy to do this and I am probably overlooking something, but the ASA is setup to use authentication from the ACS and it seems to authenticate any user that is on the ACS.</P><P></P><P>Thanks in advance,</P><P></P><P>Alex Pfeil&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 03:32:09 GMT https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271410#M135982 Alex Pfeil 2019-03-11T03:32:09Z https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271411#M135986 <HTML><HEAD></HEAD><BODY><P>Hi Alex,</P><P></P><P>With ACS 5.2, you need to add ASA as a TACACS and RADIUS aaa client. </P><P>Create 2 differernt identities groups on ACS. One for Admin and other for VPN users.</P><P></P><P>Create a authorization rule under default network access with a conditions as</P><P>Identity-group: Admin</P><P>Protocol as radius</P><P>Device: ASA-IP address ( if you don't see this condition, use the customize tab available in the bottom right corner)</P><P>Authorization profile: Deny access.</P><P>Save</P><P></P><P>In case you would like to configure same via ASA database (without ACS). here is a blog I created a month ago</P><P><A class="jive-link-external-small" href="https://community.cisco.com/community/netpro/security/aaa/blog/2013/05/05/restrict-local-admin-user-mgmt-purpose-to-access-vpn-on-asa-and-ios">https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/05/05/restrict-local-admin-user-mgmt-purpose-to-access-vpn-on-asa-and-ios</A></P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Thu, 13 Jun 2013 08:56:09 GMT https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271411#M135986 Jatin Katyal 2013-06-13T08:56:09Z https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271412#M135993 <HTML><HEAD></HEAD><BODY><P>So basically, you have to use authorization as well as authentication instead of just authentication?</P><P></P><P>Thanks,</P><P></P><P>Alex</P></BODY></HTML> Thu, 13 Jun 2013 11:21:50 GMT https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271412#M135993 Alex Pfeil 2013-06-13T11:21:50Z https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271413#M135999 <HTML><HEAD></HEAD><BODY><P>Yes we have to use the autorization rule for determining the access permissions in a network access&nbsp; service.</P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Thu, 13 Jun 2013 12:54:49 GMT https://community.cisco.com/t5/network-access-control/two-aaa-identity-groups/m-p/2271413#M135999 Jatin Katyal 2013-06-13T12:54:49Z