Showing results for 
Search instead for 
Did you mean: 

Question on ASA & AAA using ACS 5.3

Level 1
Level 1

Hi guys,

I am testing a scenario in acs 5.3 with asa 8.4.3.

I have 3 set of users.

Group1 - admins with full cmd access

Group2 - admins with limited cmd access

Group3 - remote access vpn users access

Device Admins will connect via tacacs & I want to do authentication, authorization n accounting using ACS.

RA vpn users will use radius to get access to asa.

On acs, here's what I have done till now.

1. created network device groups - device type - MyGRP1

2. Added asa as aaa client

3. added test users mapped to their identity groups, for example

test1 -> full access group

test2 -> limited access group

test3 -> vpn access group

4. In Policy elements, I have created 2 command sets for users in full access and limited access.

question1: Do I create a new shell profile also for these user groups?

question2: what should I do here for vpn users?

5. In access policies, I have duplicated the default device admin and network access services.

question3: what should I do now in access policies?

I know I need to do some more configuration. But I am confused now so if anyone can guide me on this, it will be really helpful.


4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

No, We don't need to create new shell-profile unless we are sending different attribute.

For VPN users, you need to go inside access-policies > default network access > Authorization policy > create new > as a consition you can use the "Identity group" and protocol as  "Radius" and in the authorization you can use "Permit"

Don't forget to set default rule to "Deny".


For device administration, you need to configure "Deafult device admin"

For network access/connection, you need to configure "Default network acess"



Do rate helpful posts-


Thanx Jatin but it is still not clear. Sorry.

Is that all to be done? Do I not need to create an authorization policy and identity policy for each and map it to the NDG?

What do I need to do for the VPN users command set / authorization profile?

Command authorization feature only works for device administration purpose and that too with TACACS. This can not be used for VPN authentication.

In the identity tab you need to select the database against which you want your user to be queried/checked.

If you would like to select the NDG then that would be additional configuration or we can say more conditions. However What I suggested you in the last post was the bare minimum configuration on ACS to have vpn authentication to work.

Again, As I said for vpn authentication, you make changes under

Default Network Access—Used for RADIUS-based access to network connectivity

Hope that helps.


Okay Jatin.

I think I completed the ACS configuration. This is what I have in the end:

1. Network Device Groups

Device Type

-> 1. Internal Network

-> 2. VPN Guys

Network Devices and AAA Clients

-> Added my ASA vpn head end details

2. Users and Identity Stores

Identity Groups

-> Created 3 groups

--> a. Full cmd access

--> b. Restricted cmd access

--> c. VPN user access

Internal Identity Stores

-> Users -> added 3 users

--> 1. userA - Identity group - Full cmd access

--> 2. userB - Identity group - Restricted cmd access

--> 3. userC - Identity group - VPN user access

3. Policy Elements

Network Access - Authorization Profiles -> No change. Just keeping 'Permit Access'

Device Administration

-> Shell Profiles - no change

-> Command sets - created 2 command sets

--> Set1 - for Full cmd access users

--> Set2 - for Restricted cmd access users

4. Access Policies

Service Selection Rules

-> duplicated the default services - 'Default Device Admin' and 'Default Network Access'

-> New ones are - 'New Device Admin' and 'New Network Access'

A. 'New Device Admin'

-> Identity

--> default - Reject, Reject, Drop

-> Authorization

--> created 2 authorization policies

---> a. Full cmd access policy - identity group 'Full cmd access' (created before), NDG: Device type = 'Internal Network' (created before), Shell Profile = 'Permit Access' (default), Command Sets = Set1 (created before)

---> b. Restricted access policy - identity group 'Restricted cmd access' (created before), NDG: Device type = 'Internal Network' (created before), Shell Profile = 'Permit Access' (default), Command Sets = Set2 (created before)

B. 'New Network Access'

-> Identity

--> default - Reject, Reject, Drop

-> Authorization

--> created 1 authorization policy

---> VPN authorization policy - identity group 'VPN user access' (created before), NDG: Device type = 'VPN Guys' (created before), Protocol = match Radius, Authorization Profiles = 'Permit Access' (default)


Now, does this look this correct or do I need to configure something else as well.