Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
2
Replies

How to use tacacs+ authentication to assign a group policy at login in Cisco ASA

chia hao chang
Level 1
Level 1

‎11-12-2014 05:37 PM

Hi everyone

 

As title, anyone knows how it works?

I only found it can work with LDAP authentication, but not in TACACS+

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp

 

please give me a hand, thanks.

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎11-12-2014 11:32 PM

If you want to use external authorization but not LDAP, then you should use RADIUS. There you can send the "class" attribute (#25) to the ASA which is the group-policy that should be assigned. I'm not aware of any way to achieve this through TACACS+.

0 Helpful

pemasirid
Level 1
Level 1
In response to Karsten Iwen

‎11-13-2014 03:23 AM

Hi Karten,

I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.

I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.

I am not sure what could be the issue and appreciate if you can advise.

thanks in advance.

0 Helpful
Customers Also Viewed These Support Documents