06-12-2013 10:41 AM - edited 03-10-2019 08:32 PM
I have some administators that log into switches and some end-users that need to be able to authenticate to a VPN. I am running ACS5.2. How can I setup Authentication on the ACS so that an ASA 5520 will authenticate the users to a VPN, but will not authenticate the administrators.
I logged into the VPN session using an administrator account that is not a member of the user group.
I would think that it would be easy to do this and I am probably overlooking something, but the ASA is setup to use authentication from the ACS and it seems to authenticate any user that is on the ACS.
Thanks in advance,
Alex Pfeil
06-13-2013 01:56 AM
Hi Alex,
With ACS 5.2, you need to add ASA as a TACACS and RADIUS aaa client.
Create 2 differernt identities groups on ACS. One for Admin and other for VPN users.
Create a authorization rule under default network access with a conditions as
Identity-group: Admin
Protocol as radius
Device: ASA-IP address ( if you don't see this condition, use the customize tab available in the bottom right corner)
Authorization profile: Deny access.
Save
In case you would like to configure same via ASA database (without ACS). here is a blog I created a month ago
Jatin Katyal
- Do rate helpful posts -
06-13-2013 04:21 AM
So basically, you have to use authorization as well as authentication instead of just authentication?
Thanks,
Alex
06-13-2013 05:54 AM
Yes we have to use the autorization rule for determining the access permissions in a network access service.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide