cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1144
Views
0
Helpful
4
Replies

TACACS+ for unified ASA management and VPN auth

misha_bac
Level 1
Level 1

Hello, I have ASA 5540 and ACS 4.2 (AD backend), I want unified authen for management and vpn access.

For example I will have two groups in ACS (AD mapping): Admins, VPN access.

I would like Admins to have full access (shell, VPN), and "VPN access" only vpn, no shell of any kind.

I understand how to do it with RADIUS - use "Service-type" and Network access profile, but how to do it with TACACS+?

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

There is a trick


I explained almost the same scenario in 2008 post

https://cisco-support.hosted.jivesoftware.com/message/853751#853751


In order to acheive this, you should have same ASA added for TACACS and RADIUS AAA cleint.



Since you want admin group should have FULL access so don't change anything on that group.


Now vpnaccess group on ACS should have only access to VPN then here you need to implement IP based NAR

Go to the group setup >> ip based NAR


Hope this helps.


Rgds, Jatin



Do rate helpful posts~

~Jatin

View solution in original post

4 Replies 4

andamani
Cisco Employee
Cisco Employee

Hi Misha,

i think you can restrict the Access of the network using NAR for the particular group.

The following links will explain the same to you in more detail.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp34608

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

Good evening, Anisha.

Sorry, but I don't see how NAR will help me, as I understand NAR is used when I need to filter "point of access", but I need to filter based on "type of access".

I can't see the way in which I can differentiate, either TACACS request was for VPN access, or for ssh access (or how to explicity allow only remote access for example, as I can do in RADIUS)

Jatin Katyal
Cisco Employee
Cisco Employee

There is a trick


I explained almost the same scenario in 2008 post

https://cisco-support.hosted.jivesoftware.com/message/853751#853751


In order to acheive this, you should have same ASA added for TACACS and RADIUS AAA cleint.



Since you want admin group should have FULL access so don't change anything on that group.


Now vpnaccess group on ACS should have only access to VPN then here you need to implement IP based NAR

Go to the group setup >> ip based NAR


Hope this helps.


Rgds, Jatin



Do rate helpful posts~

~Jatin

Thank you for clarifying that it's not possible with TACACS, I was almost sure that it's not possible, but I was need a proof

I will use different solution though, ASA documentation states that you may send Service-type "5" (Outband) from ACS and user will be allowed *only* VPN access, not shell, so I count on network access profile, NAR seems totaly useless for me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: