https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123196#M5399 <HTML><HEAD></HEAD><BODY><P>Prem this is 5+ from me <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Mon, 25 Aug 2008 02:47:21 GMT Marwan ALshawi 2008-08-25T02:47:21Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123189#M5380 <P>Hi,</P><P>We have setup SSLVPN on a Cisco 3800 to host VPN for IP Communicator (VOIP). IOS = IOS AdvanceSecurity 12.4-15(T) and Cisco Secure ACS v3.0</P><P>We have trialed an authentication method by using our existing TACACS+ server to host the AAA for the SSLVPN but the problem is the same user account can login to our routers using the same TACACS+. </P><P>Is there a way to permit SSLVPN auth for VOIP use and deny access to our routers using the same AAA server?</P> Fri, 21 Feb 2020 18:21:55 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123189#M5380 Peter Valdes 2020-02-21T18:21:55Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123190#M5385 <HTML><HEAD></HEAD><BODY><P>if u are giveing users a pool of IPs through the ssl vpn u can u se an ACL on the outside interface that allow only access to the voip network and deny anything els!</P></BODY></HTML> Thu, 21 Aug 2008 10:34:21 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123190#M5385 Marwan ALshawi 2008-08-21T10:34:21Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123191#M5388 <HTML><HEAD></HEAD><BODY><P>Hi, Thanks for the reply.</P><P>The part has been secured. The problem is when they are not using the VPN. Normal ADSL connection and if they know the public IP Address of one router, they can VTY/SSH to it using their TACACS+ account.</P><P></P><P>VTY has ACL already to only allow our internal network in. SSH is for outside use.</P><P></P><P>I should have included this on the first message to be more clearer.</P><P>Is there a setup on the TACACS+ to deny VTY/SSH use of the accounts?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 21 Aug 2008 22:14:47 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123191#M5388 Peter Valdes 2008-08-21T22:14:47Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123192#M5391 <HTML><HEAD></HEAD><BODY><P>in this case you need to use AUth proxy if ur router include IOS firewall feature</P><P>this way u can spisify whay ports are allowed and use source and distination IPs.</P></BODY></HTML> Fri, 22 Aug 2008 03:27:49 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123192#M5391 Marwan ALshawi 2008-08-22T03:27:49Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123193#M5394 <HTML><HEAD></HEAD><BODY><P>As your Tacacs+ is ACS, then you can make use of NAR (Network Access Restriction).</P><P></P><P>Users will be prompted for username/password if device is configured for the same, but they wont be able to telnet/ssh into the Network Device. But should be able to do VPN.</P><P></P><P>Please go through what attributes are evaluated for a NAR to be applied,</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml</A></P><P></P><P>Regards,</P><P>Prem</P><P></P><P>Please rate if it helps!</P></BODY></HTML> Fri, 22 Aug 2008 11:40:32 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123193#M5394 Premdeep Banga 2008-08-22T11:40:32Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123194#M5397 <HTML><HEAD></HEAD><BODY><P>Thanks. I will try this and let you know on the result.</P><P></P><P>Thanks again for your replies.</P><P></P><P>Peter</P></BODY></HTML> Fri, 22 Aug 2008 13:02:27 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123194#M5397 Peter Valdes 2008-08-22T13:02:27Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123195#M5398 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Thanks for all your help. NAR works.</P><P></P><P>Cheers</P><P>Peter</P></BODY></HTML> Mon, 25 Aug 2008 02:44:11 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123195#M5398 Peter Valdes 2008-08-25T02:44:11Z https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123196#M5399 <HTML><HEAD></HEAD><BODY><P>Prem this is 5+ from me <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Mon, 25 Aug 2008 02:47:21 GMT https://community.cisco.com/t5/network-access-control/webvpn-authentication/m-p/1123196#M5399 Marwan ALshawi 2008-08-25T02:47:21Z