https://community.cisco.com/t5/network-access-control/acs-asa-authentication-for-vpn-access-vs-console-management/m-p/1219686#M379120 <P>I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent. </P> Sun, 10 Mar 2019 23:23:13 GMT Joshua Engels 2019-03-10T23:23:13Z https://community.cisco.com/t5/network-access-control/acs-asa-authentication-for-vpn-access-vs-console-management/m-p/1219686#M379120 <P>I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent. </P> Sun, 10 Mar 2019 23:23:13 GMT https://community.cisco.com/t5/network-access-control/acs-asa-authentication-for-vpn-access-vs-console-management/m-p/1219686#M379120 Joshua Engels 2019-03-10T23:23:13Z https://community.cisco.com/t5/network-access-control/acs-asa-authentication-for-vpn-access-vs-console-management/m-p/1219687#M379151 <HTML><HEAD></HEAD><BODY><P>Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.</P><P></P><P>By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.</P><P></P><P>In your case it should be VPNUSERS group in ACS.</P><P></P><P>HTH</P><P>Ahmed</P></BODY></HTML> Mon, 16 Mar 2009 08:07:26 GMT https://community.cisco.com/t5/network-access-control/acs-asa-authentication-for-vpn-access-vs-console-management/m-p/1219687#M379151 sahmedshahcsd 2009-03-16T08:07:26Z https://community.cisco.com/t5/network-access-control/acs-asa-authentication-for-vpn-access-vs-console-management/m-p/1219688#M379186 <HTML><HEAD></HEAD><BODY><P>Using network access restriction is the solution here. Please see this link,</P><P></P><P>Please see this link,</P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml" target="_blank">http://cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml</A></P><P></P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Mon, 16 Mar 2009 20:23:26 GMT https://community.cisco.com/t5/network-access-control/acs-asa-authentication-for-vpn-access-vs-console-management/m-p/1219688#M379186 Jagdeep Gambhir 2009-03-16T20:23:26Z