03-05-2012 03:26 PM - edited 03-10-2019 06:52 PM
Hi all,
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether. Is there a better way to do this?
03-07-2012 03:49 PM
I don't understand your exact requirements. If you configure a "Shell Profile" to "deny access" then when a user authentication matches that "Shell Profile" that user won't be allowed into ASA.
03-13-2012 02:17 PM
Shell access simply restricts the commands you are allowed to use but does not deny the actual login into the ASA. The actual profile to prohibit someone from logging into the ASA also stops them from authenticating with their VPN because both requests source the same way. After speaking with TAC my mistake was combining the two. The solution is to have VPN authentications come via Radius and device authentication TACACS+.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide