Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Alex Pfeil
Rising star

Two AAA Identity Groups

I have some administators that log into switches and some end-users that need to be able to authenticate to a VPN.  I am running ACS5.2.  How can I setup Authentication on the ACS so that an ASA 5520 will authenticate the users to a VPN, but will not authenticate the administrators.

I logged into the VPN session using an administrator account that is not a member of the user group.

I would think that it would be easy to do this and I am probably overlooking something, but the ASA is setup to use authentication from the ACS and it seems to authenticate any user that is on the ACS.

Thanks in advance,

Alex Pfeil                  

Jatin Katyal
Cisco Employee

Hi Alex,

With ACS 5.2, you need to add ASA as a TACACS and RADIUS aaa client.

Create 2 differernt identities groups on ACS. One for Admin and other for VPN users.

Create a authorization rule under default network access with a conditions as

Identity-group: Admin

Protocol as radius

Device: ASA-IP address ( if you don't see this condition, use the customize tab available in the bottom right corner)

Authorization profile: Deny access.


In case you would like to configure same via ASA database (without ACS). here is a blog I created a month ago

Jatin Katyal
- Do rate helpful posts -


So basically, you have to use authorization as well as authentication instead of just authentication?



Yes we have to use the autorization rule for determining the access permissions in a network access  service.

Jatin Katyal
- Do rate helpful posts -

Content for Community-Ad