AAA config on ASA (8.x)

slug420 · ‎01-11-2011

What would my AAA config look like on an ASA...and on my ACS server (CSACS 4.2) if I wanted administrative ssh connections to the ASA to be authenticated against one directory (via tacacs) and VPN users connecting to the ASA to be authenticated against another source?

Right now I am authenticating admin connections against a directory through the ACS server but want to be able to authenticate a subset of those users against a different directory also via the ACS server for VPN access. Both directories are already configured on the ACS server and I know how to configure the VPN..just want to make sure im not going to be forcing admins to authenticate to the FW via directory2 and make sure that vpn users cannot authenticate via directory1 and make sure that im not allowing all VPN users to login to the FW as admins (or vice versa)

Bastien Migette · ‎01-12-2011

Hello slug,

You can go in network access profiles, and create two separates profiles, each profiles authenticating through a separate authentication method that you can define.

When you'll create the profile, you can define what conditions should be met to map an authentication request to this profile, so you can match an attribute that is specific for each authentication.

To find out one, just authenticate vpn and admin users, and check the attributes that are sent to the acs server.

It's also a common setup to use tacacs for admin access, and radius for vpn access, so that's even easier to match.

Hope this help.

Regards,
bastien.