06-23-2009 11:04 AM - edited 03-10-2019 04:33 PM
I've searched through the forums a bit and there were several conversations that similar to what I was doing but I could not find any that were exact. Here is my scenario:
One ASA5520 as the Remote Access VPN head unit (IPSEC).
One Cisco ACS Server for VPN authentication as well as network device authentication for admins.
Network Device authenticaiton uses TACACS. Remote Access VPN uses RADIUS. I have a active directory group that is mapped to an NDG that VPN users authenticate with.
I have need of a new, separate VPN for consultants. I want to use a different tunnel group and IP address range so I can define downloadable ACL's based on the group - not the users.
Whe I try and map another NDG to a new AD group, that works. When I try and add the ASA's IP address as the requestor, I'm greeted with a message that I cannot add the same IP twice.
There has to be a way to do this with such a robust server...
06-25-2009 06:06 AM
There is no need to add ASA again in aaa-clients section. Previous entry will take care of all the radius request coming from ASA.
Regards,
~JG
Do rate helpful posts
06-25-2009 08:07 AM
I'm not really sure that answers my question... how do I authenticate to the separate AD group then? I want touse downloadable ACL's to the specific consultant group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide