https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957691#M245816 <HTML><HEAD></HEAD><BODY><P> Just to share---</P><P></P><P>Here is the way we handled this particular instances since there is only one group who will use this ASA.&nbsp; On the 5505, we made modified the default simultaneous logins to 0.&nbsp; And then on our VPN group profile, we unchecked the inherit box and modified so we could have 4 users.&nbsp; </P><P></P><P>On the ACS, we modified the Policy Elements, Authorization and Permissions-&gt;Network Access-&gt;Authorization Profiles, we added two IETF attributes.&nbsp; One was Radius-IETF-&gt;Radius Attribute Class-&gt;Type=String-&gt;Value OU=name of VPN profile.</P><P></P><P>Second attribute was Service Type, Type was enumeration, Value=Login.</P><P></P><P>This seems to have cleared up just anyone login into this and allowed only the needed member to do this.</P><P></P><P>Thanks to all for your help.</P><P></P><P>Dwane</P></BODY></HTML> Thu, 14 Jun 2012 16:25:55 GMT dpatkins 2012-06-14T16:25:55Z https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957688#M245747 <P>We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups.&nbsp; It works, but it works too well.&nbsp; </P><P></P><P> We have a group called XXX that we need to have access to the Cisco AnyConnect Client.&nbsp; We have selected this group from our Active Directory and added it to our ACS configuration.&nbsp; We also have added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.&nbsp; </P><P></P><P>We have added XXX to the Policy elements Network Access-&gt; Authorization Profiles.&nbsp; We also have a profile for YYY.</P><P></P><P>It continues to hit on our default Service Rule that says permit all.</P><P></P><P>We have also created a Default network access rule. for this.&nbsp; </P><P></P><P>I am at a loss.&nbsp; I am pretty sure I have missed a check box or something.</P><P></P><P>Any help would definitely be appreciated.</P><P></P><P>Dwane</P> Mon, 11 Mar 2019 02:11:26 GMT https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957688#M245747 dpatkins 2019-03-11T02:11:26Z https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957689#M245762 <HTML><HEAD></HEAD><BODY><P>Are we using TACACS protocl for managing ASA and Radius for VPN access?</P><P></P><P>For administration, you should edit default device admin access-policy and create an authorization-policy. Same way, you can edit default-network access for vpn access and create a respective policy for that too.</P><P></P><P>On the ASA, you need to configure tacacs and radius both as a server group.</P><P></P><P>For administration you can define tacacs as an external authentication server under aaa commands</P><P></P><P>aaa-server TACACS protocol tacacs+</P><P>aaa authentication http console TACACS</P><P>aaa authentication telnet console TACACS LOCAL</P><P>aaa authentication ssh console TACACS LOCAL</P><P>aaa authentication enable console TACACS LOCAL</P><P></P><P>For VPN you need to define radius authentication under the tunnel-group.</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P>Jatin</P><P></P><P></P><P>Do rate helpful posts-</P></BODY></HTML> Tue, 12 Jun 2012 15:53:01 GMT https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957689#M245762 Jatin Katyal 2012-06-12T15:53:01Z https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957690#M245779 <HTML><HEAD></HEAD><BODY><P> Jkatyal,</P><P></P><P>Thank you for the response.&nbsp; I do not think the management portion is as important as teh VPN in this case.</P><P></P><P>We need to have only personnel located in the AD group XYZ be able to access the VPN on ASA5505.</P><P></P><P>I have worked some with Cisco TAC and since we had migrated to the ACS5.3, the Access Policy was configure with NDG Location, in all locations.&nbsp; We configured it with a new location and added that to the policy but it still did nto fix it.</P><P></P><P>So in a nutshell, how do we configure a situation where a Cisco VPN group going to a specific device can only have access if it belongs to a specific AD group.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 13 Jun 2012 14:11:05 GMT https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957690#M245779 dpatkins 2012-06-13T14:11:05Z https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957691#M245816 <HTML><HEAD></HEAD><BODY><P> Just to share---</P><P></P><P>Here is the way we handled this particular instances since there is only one group who will use this ASA.&nbsp; On the 5505, we made modified the default simultaneous logins to 0.&nbsp; And then on our VPN group profile, we unchecked the inherit box and modified so we could have 4 users.&nbsp; </P><P></P><P>On the ACS, we modified the Policy Elements, Authorization and Permissions-&gt;Network Access-&gt;Authorization Profiles, we added two IETF attributes.&nbsp; One was Radius-IETF-&gt;Radius Attribute Class-&gt;Type=String-&gt;Value OU=name of VPN profile.</P><P></P><P>Second attribute was Service Type, Type was enumeration, Value=Login.</P><P></P><P>This seems to have cleared up just anyone login into this and allowed only the needed member to do this.</P><P></P><P>Thanks to all for your help.</P><P></P><P>Dwane</P></BODY></HTML> Thu, 14 Jun 2012 16:25:55 GMT https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957691#M245816 dpatkins 2012-06-14T16:25:55Z https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957692#M245835 <HTML><HEAD></HEAD><BODY><P>All,</P><P></P><P>My apologies, I am using Radius for both.</P><P></P><P>Thank you,</P><P></P><P>Dwane</P></BODY></HTML> Mon, 18 Jun 2012 13:19:42 GMT https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957692#M245835 dpatkins 2012-06-18T13:19:42Z https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957693#M245855 <HTML><HEAD></HEAD><BODY><P>I have the Radius actually working with our AD group. I just need to know how to separate it. The users can log in to using the AnyConnect Client. However, so can the users of the administrative group. I am trying to ensure I have the proper restrictions set up. I do not want the VPN users to be able to manage the device nor should the management users be able to access the VPN tunnel.</P><P></P><P>Does this make sense?</P><P></P><P>Thank you,</P><P></P><P>Dwane</P></BODY></HTML> Mon, 18 Jun 2012 13:19:42 GMT https://community.cisco.com/t5/network-access-control/configuring-cisco-acs-5-3-for-anyconnect-vpn-and-management-of-a/m-p/1957693#M245855 dpatkins 2012-06-18T13:19:42Z