Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1237
Views
0
Helpful
8
Replies

ACS 5.x Auth for VPN and SSH/managment users

Go to solution
Nedeljko Scepanovic
Level 1
Level 1

ā€Ž06-27-2013 12:38 PM - edited ā€Ž03-10-2019 08:35 PM

Hi, this is my test lab , I have ASA 5505 and a few routers 1841, how can I make 2 groups for authentication on ACS via ssh and vpn, first  is managment ssh, and I make this via tacacs, second is vpn and autentication for that users work via radius,

I make 2 user group in ACS, first is gr_Admins for ssh/managment via TACACS, and second is gr_VPN for VPN via radius

Is there some way that I divide these two groups, if I gr_Admins, put autentication with radius, they would be able to log in with VPN, and it does not want, I want a group for ssh, and the other only for VPN

English is not my native language, so I apologize for bad writing.

CCNA       

CCNA R&S, CCNA Security
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Eduardo Aliaga
Level 4
Level 4

ā€Ž07-03-2013 09:29 PM

About ssh and vpn, you can use the default "Service Selection Rules". the service called "Default network access" will take care of vpns and the service called "device admin" will take care of tacacs.

About users you could create "attributes". For example you could create a user attribute called "vpn-attribute" and then create an "access service rule" that will let this user to access the vpn only if the "vpn-attribute" is set to "true"

Also, you could create the "ssh" attribute, and create an "access service rule" that will let this user to access a device by using ssh only if the ssh attribute is set to true

That way you can have all the options for your users (user that only  can ssh, users that only can use the vpn, users that can use both ssh  and vpns, and user that can't use nothing).

Please rate if this helps

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Nedeljko Scepanovic

ā€Ž07-20-2013 03:21 AM

What broswer and code are you using?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Eduardo Aliaga
Level 4
Level 4

ā€Ž07-03-2013 09:29 PM

About ssh and vpn, you can use the default "Service Selection Rules". the service called "Default network access" will take care of vpns and the service called "device admin" will take care of tacacs.

About users you could create "attributes". For example you could create a user attribute called "vpn-attribute" and then create an "access service rule" that will let this user to access the vpn only if the "vpn-attribute" is set to "true"

Also, you could create the "ssh" attribute, and create an "access service rule" that will let this user to access a device by using ssh only if the ssh attribute is set to true

That way you can have all the options for your users (user that only  can ssh, users that only can use the vpn, users that can use both ssh  and vpns, and user that can't use nothing).

Please rate if this helps

0 Helpful

Go to solution
Nedeljko Scepanovic
Level 1
Level 1

ā€Ž07-18-2013 12:06 PM

I will now try your solution

CCNA R&S, CCNA Security

CCNA R&S, CCNA Security
0 Helpful

Go to solution
Nedeljko Scepanovic
Level 1
Level 1

ā€Ž07-20-2013 02:48 AM

Hi

I tried your solution, but I can not create any rules, and when I click on Create, a new window appears with an error ErrorCode: 500 has occured, I use ACS 5.4 trial.

Have a nice day

CCNA R&S, CCNA Security
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Nedeljko Scepanovic

ā€Ž07-20-2013 03:21 AM

What broswer and code are you using?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Nedeljko Scepanovic
Level 1
Level 1
In response to Jatin Katyal

ā€Ž07-20-2013 03:26 AM

Hahahha, that is problem , I look on google, and find what I must do to, I use Xubunu FF 20, and Chrome, I have installed on VirtualBox WindowsXP, and I install Firefox 3,and now is OK )

CCNA R&S, CCNA Security

CCNA R&S, CCNA Security
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Nedeljko Scepanovic

ā€Ž07-20-2013 03:31 AM

Let us know if you have any more questions.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Nedeljko Scepanovic
Level 1
Level 1
In response to Jatin Katyal

ā€Ž07-21-2013 04:30 PM

Again I came, I made two rules, the first Management access-Admin group, and Network Access VPN, the first match TACACS, Radius second, first I made Shell Profiles (static level 15) and Command Sets, (I managed to adjust to helpdesk group only are allowed commands specified below, users helpdesk group can again all the commands that are used (conf t etc ....), they have the privilege level 10)

To get back to the first question, Admin group has all rights, it can use all the commands, they are not the problem, how configure VPN group, which only authenticate the ASA over the radius, which value to put the privileges of Shell Profiles for VPN, Default Privilege and Privilege Maximum static 0 or NULL in field Shell Profile:, and what to do with Command Sets for VPN group, the same NULL or DenyAllCommands?

Please help me for Command Sets

show ip int

show int

show ver

CCNA R&S, CCNA Security

CCNA R&S, CCNA Security
0 Helpful

Go to solution
Nedeljko Scepanovic
Level 1
Level 1

ā€Ž07-27-2013 09:36 AM

Hi, any new comment?


Sent from Cisco Technical Support Android App

CCNA R&S, CCNA Security
0 Helpful
Customers Also Viewed These Support Documents