Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
0
Helpful
2
Replies

ACS 5.3 and TACACS+ authentication from VPN

jack.leung
Level 1
Level 1

‎03-05-2012 03:26 PM - edited ‎03-10-2019 06:52 PM

Hi all,

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether. Is there a better way to do this?

Labels:
0 Helpful
2 Replies 2

Eduardo Aliaga
Level 4
Level 4

‎03-07-2012 03:49 PM

I don't understand your exact requirements. If you configure a "Shell Profile" to "deny access" then when a user authentication matches that "Shell Profile" that user won't be allowed into ASA.

0 Helpful

jack.leung
Level 1
Level 1
In response to Eduardo Aliaga

‎03-13-2012 02:17 PM

Shell access simply restricts the commands you are allowed to use but does not deny the actual login into the ASA. The actual profile to prohibit someone from logging into the ASA also stops them from authenticating with their VPN because both requests source the same way. After speaking with TAC my mistake was combining the two. The solution is to have VPN authentications come via Radius and device authentication TACACS+.

0 Helpful
Customers Also Viewed These Support Documents