Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1369
Views
0
Helpful
4
Replies

TACACS+ for unified ASA management and VPN auth

Go to solution
misha_bac
Level 1
Level 1

‎02-01-2011 02:12 PM - edited ‎03-10-2019 05:47 PM

Hello, I have ASA 5540 and ACS 4.2 (AD backend), I want unified authen for management and vpn access.

For example I will have two groups in ACS (AD mapping): Admins, VPN access.

I would like Admins to have full access (shell, VPN), and "VPN access" only vpn, no shell of any kind.

I understand how to do it with RADIUS - use "Service-type" and Network access profile, but how to do it with TACACS+?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-02-2011 08:03 PM

There is a trick


I explained almost the same scenario in 2008 post

https://cisco-support.hosted.jivesoftware.com/message/853751#853751


In order to acheive this, you should have same ASA added for TACACS and RADIUS AAA cleint.



Since you want admin group should have FULL access so don't change anything on that group.


Now vpnaccess group on ACS should have only access to VPN then here you need to implement IP based NAR

Go to the group setup >> ip based NAR


Hope this helps.


Rgds, Jatin



Do rate helpful posts~

~Jatin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andamani
Cisco Employee
Cisco Employee

‎02-02-2011 07:13 AM

Hi Misha,

i think you can restrict the Access of the network using NAR for the particular group.

The following links will explain the same to you in more detail.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp34608

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

0 Helpful

Go to solution
misha_bac
Level 1
Level 1
In response to andamani

‎02-02-2011 12:00 PM

Good evening, Anisha.

Sorry, but I don't see how NAR will help me, as I understand NAR is used when I need to filter "point of access", but I need to filter based on "type of access".

I can't see the way in which I can differentiate, either TACACS request was for VPN access, or for ssh access (or how to explicity allow only remote access for example, as I can do in RADIUS)

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-02-2011 08:03 PM

There is a trick


I explained almost the same scenario in 2008 post

https://cisco-support.hosted.jivesoftware.com/message/853751#853751


In order to acheive this, you should have same ASA added for TACACS and RADIUS AAA cleint.



Since you want admin group should have FULL access so don't change anything on that group.


Now vpnaccess group on ACS should have only access to VPN then here you need to implement IP based NAR

Go to the group setup >> ip based NAR


Hope this helps.


Rgds, Jatin



Do rate helpful posts~

~Jatin
0 Helpful

Go to solution
misha_bac
Level 1
Level 1
In response to Jatin Katyal

‎02-03-2011 03:04 AM

Thank you for clarifying that it's not possible with TACACS, I was almost sure that it's not possible, but I was need a proof

I will use different solution though, ASA documentation states that you may send Service-type "5" (Outband) from ACS and user will be allowed *only* VPN access, not shell, so I count on network access profile, NAR seems totaly useless for me.

0 Helpful
Customers Also Viewed These Support Documents