Two AAA Identity Groups

Alex Pfeil · ‎06-12-2013

I have some administators that log into switches and some end-users that need to be able to authenticate to a VPN. I am running ACS5.2. How can I setup Authentication on the ACS so that an ASA 5520 will authenticate the users to a VPN, but will not authenticate the administrators.

I logged into the VPN session using an administrator account that is not a member of the user group.

I would think that it would be easy to do this and I am probably overlooking something, but the ASA is setup to use authentication from the ACS and it seems to authenticate any user that is on the ACS.

Thanks in advance,

Alex Pfeil

Jatin Katyal · ‎06-13-2013

Hi Alex,

With ACS 5.2, you need to add ASA as a TACACS and RADIUS aaa client.

Create 2 differernt identities groups on ACS. One for Admin and other for VPN users.

Create a authorization rule under default network access with a conditions as

Identity-group: Admin

Protocol as radius

Device: ASA-IP address ( if you don't see this condition, use the customize tab available in the bottom right corner)

Authorization profile: Deny access.

Save

In case you would like to configure same via ASA database (without ACS). here is a blog I created a month ago

https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/05/05/restrict-local-admin-user-mgmt-purpose-to-access-vpn-on-asa-and-ios

Jatin Katyal
- Do rate helpful posts -

~Jatin

Alex Pfeil · ‎06-13-2013

So basically, you have to use authorization as well as authentication instead of just authentication?

Thanks,

Alex

Jatin Katyal · ‎06-13-2013

Yes we have to use the autorization rule for determining the access permissions in a network access service.

Jatin Katyal
- Do rate helpful posts -

~Jatin