cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

781
Views
0
Helpful
4
Replies
Highlighted
Beginner

TACACS+ for unified ASA management and VPN auth

Hello, I have ASA 5540 and ACS 4.2 (AD backend), I want unified authen for management and vpn access.

For example I will have two groups in ACS (AD mapping): Admins, VPN access.

I would like Admins to have full access (shell, VPN), and "VPN access" only vpn, no shell of any kind.

I understand how to do it with RADIUS - use "Service-type" and Network access profile, but how to do it with TACACS+?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

There is a trick


I explained almost the same scenario in 2008 post

https://cisco-support.hosted.jivesoftware.com/message/853751#853751


In order to acheive this, you should have same ASA added for TACACS and RADIUS AAA cleint.



Since you want admin group should have FULL access so don't change anything on that group.


Now vpnaccess group on ACS should have only access to VPN then here you need to implement IP based NAR

Go to the group setup >> ip based NAR


Hope this helps.


Rgds, Jatin



Do rate helpful posts~

~Jatin

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi Misha,

i think you can restrict the Access of the network using NAR for the particular group.

The following links will explain the same to you in more detail.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp34608

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

Highlighted

Good evening, Anisha.

Sorry, but I don't see how NAR will help me, as I understand NAR is used when I need to filter "point of access", but I need to filter based on "type of access".

I can't see the way in which I can differentiate, either TACACS request was for VPN access, or for ssh access (or how to explicity allow only remote access for example, as I can do in RADIUS)

Highlighted
Cisco Employee

There is a trick


I explained almost the same scenario in 2008 post

https://cisco-support.hosted.jivesoftware.com/message/853751#853751


In order to acheive this, you should have same ASA added for TACACS and RADIUS AAA cleint.



Since you want admin group should have FULL access so don't change anything on that group.


Now vpnaccess group on ACS should have only access to VPN then here you need to implement IP based NAR

Go to the group setup >> ip based NAR


Hope this helps.


Rgds, Jatin



Do rate helpful posts~

~Jatin

View solution in original post

Highlighted

Thank you for clarifying that it's not possible with TACACS, I was almost sure that it's not possible, but I was need a proof

I will use different solution though, ASA documentation states that you may send Service-type "5" (Outband) from ACS and user will be allowed *only* VPN access, not shell, so I count on network access profile, NAR seems totaly useless for me.

Content for Community-Ad