topic ACS 5.x Auth for VPN and SSH/managment users in Network Access Control

ACS 5.x Auth for VPN and SSH/managment users

Nedeljko Scepanovic — Mon, 11 Mar 2019 03:35:38 GMT

Hi, this is my test lab , I have ASA 5505 and a few routers 1841, how can I make 2 groups for authentication on ACS via ssh and vpn, first is managment ssh, and I make this via tacacs, second is vpn and autentication for that users work via radius,

I make 2 user group in ACS, first is gr_Admins for ssh/managment via TACACS, and second is gr_VPN for VPN via radius

Is there some way that I divide these two groups, if I gr_Admins, put autentication with radius, they would be able to log in with VPN, and it does not want, I want a group for ssh, and the other only for VPN

English is not my native language, so I apologize for bad writing.

CCNA

ACS 5.x Auth for VPN and SSH/managment users

Eduardo Aliaga — Thu, 04 Jul 2013 04:29:41 GMT

About ssh and vpn, you can use the default "Service Selection Rules". the service called "Default network access" will take care of vpns and the service called "device admin" will take care of tacacs.

About users you could create "attributes". For example you could create a user attribute called "vpn-attribute" and then create an "access service rule" that will let this user to access the vpn only if the "vpn-attribute" is set to "true"

Also, you could create the "ssh" attribute, and create an "access service rule" that will let this user to access a device by using ssh only if the ssh attribute is set to true

That way you can have all the options for your users (user that only can ssh, users that only can use the vpn, users that can use both ssh and vpns, and user that can't use nothing).

Please rate if this helps

ACS 5.x Auth for VPN and SSH/managment users

Nedeljko Scepanovic — Thu, 18 Jul 2013 19:06:14 GMT

I will now try your solution

CCNA R&S, CCNA Security

ACS 5.x Auth for VPN and SSH/managment users

Nedeljko Scepanovic — Sat, 20 Jul 2013 09:48:19 GMT

I tried your solution, but I can not create any rules, and when I click on Create, a new window appears with an error ErrorCode: 500 has occured, I use ACS 5.4 trial.

Have a nice day

ACS 5.x Auth for VPN and SSH/managment users

Jatin Katyal — Sat, 20 Jul 2013 10:21:30 GMT

What broswer and code are you using?

~BR
Jatin Katyal

**Do rate helpful posts**

ACS 5.x Auth for VPN and SSH/managment users

Nedeljko Scepanovic — Sat, 20 Jul 2013 10:26:50 GMT

Hahahha, that is problem , I look on google, and find what I must do to, I use Xubunu FF 20, and Chrome, I have installed on VirtualBox WindowsXP, and I install Firefox 3,and now is OK )

CCNA R&S, CCNA Security

ACS 5.x Auth for VPN and SSH/managment users

Jatin Katyal — Sat, 20 Jul 2013 10:31:20 GMT

Let us know if you have any more questions.

~BR
Jatin Katyal

**Do rate helpful posts**

ACS 5.x Auth for VPN and SSH/managment users

Nedeljko Scepanovic — Sun, 21 Jul 2013 23:30:55 GMT

Again I came, I made two rules, the first Management access-Admin group, and Network Access VPN, the first match TACACS, Radius second, first I made Shell Profiles (static level 15) and Command Sets, (I managed to adjust to helpdesk group only are allowed commands specified below, users helpdesk group can again all the commands that are used (conf t etc ....), they have the privilege level 10)

To get back to the first question, Admin group has all rights, it can use all the commands, they are not the problem, how configure VPN group, which only authenticate the ASA over the radius, which value to put the privileges of Shell Profiles for VPN, Default Privilege and Privilege Maximum static 0 or NULL in field Shell Profile:, and what to do with Command Sets for VPN group, the same NULL or DenyAllCommands?

Please help me for Command Sets

show ip int

show int

show ver

CCNA R&S, CCNA Security

Re:ACS 5.x Auth for VPN and SSH/managment users

Nedeljko Scepanovic — Sat, 27 Jul 2013 16:36:34 GMT

Hi, any new comment?

Sent from Cisco Technical Support Android App