Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1525
Views
0
Helpful
4
Replies

C2S vpn with tacacs authentication

sansarav720e
Level 1
Level 1

‎03-09-2011 02:22 AM - edited ‎03-11-2019 01:03 PM

Hi All ,

            By default ASA box point to radius authenthication port UDP 1645 on cisco ACS box for end user uthentication . It possible to have TACACS authentication for end user while connecting  to VPN .

     If we use tacacs as protocol for authentication , How does authentication and authorisation will happen for end user . while for radius authentication and authorisation is happened on single password , where is it not possible for tacacs protocol.

HTH Regards Santhosh Saravanan
Labels:
0 Helpful
4 Replies 4

andamani
Cisco Employee
Cisco Employee

‎03-09-2011 04:10 AM

Hi,

Tacacs+ and Radius are two different protocols.  Authentication and authorization cannot be seperated on Radius. while  they can be seperated in TACACS+

The following link  give details of the diffrence between them.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

You  can certainly configure the TACACS server for authentication of VPN.  here is a sample config.


aaa-server vpn protocol tacacs+
aaa-server vpn host 10.11.1.2
 key cisco123
tunnel-group vpn3000 general-attributes
 address-pool vpnclient
 authentication-server-group vpn


Hope this helps.

Regards,
Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. do rate helpful posts.

0 Helpful

sansarav720e
Level 1
Level 1
In response to andamani

‎03-09-2011 04:51 AM

Hi Anisha ,

                    Thanx for your postings , When we configure Cisco IOS device for TACACS authentication it prompt for two separate password for accessinfg privelege mode and enable mode .

                  Likewise does VPN client looks for two password else it will starts to connect with privelge mode password ,ignoring enable password .

Similarly for end user it possible to change their password during inital login when we use TACACS as protocol ,were its not possible using RADIUS protocol which looks for external server configured with ACS server for password change during inital login .

HTH Regards Santhosh Saravanan
0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to sansarav720e

‎03-09-2011 04:56 AM

Hi,

You are mistaking the login to device to VPN connection credentials.

when you configure VPN and authentication for the same is to allow the user to be able to connect to VPN and not enter a device.

Also the authentication for the enable mode depends on the configuration you have done.

I did not get the last para of yours.

Regards,

Anisha

0 Helpful

sansarav720e
Level 1
Level 1
In response to andamani

‎03-09-2011 05:17 AM

Hi Anisha ,

                   I need few thing to be cleared over here when it point TACACS as a protocol on my ASA device for VPN tunnel group , On ACS box under network configuration i need to choose cisco ASA\RADIUS \VPN3000 or i need to Choose cisco IOS under devices addition for this ASA device  .

         I have a requirement that password should be changed by VPN user during inital logon ,How to achieve this password change when we use Radius or Tacacs protocol

      when we use radius protocol its not possible to change password during inital login. Correct me if i am wrong over here  .

HTH Regards Santhosh Saravanan
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card