Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
2
Replies

IPSec VPN Authentication and tac_plus

brendancaulfield
Level 1
Level 1

‎05-24-2011 09:28 AM - edited ‎02-21-2020 05:22 PM

All,

I need some advice.  I have a lot of users who have home installations sitting behind ASA5505s which are are connected via IPSec VPN to our main office.  As of now, the remote ASAs authenticate via LOCAL username and password.  I would like to set this up so they authenticate against the same tac_plus instance we are running to allow console/SSH access.  Here is the catch, I don't want the user accounts to be able to gain console access.  Does anyone have a reference point for the user/group stanzas in the tac_plus config which would allow IPSec authentication but not console access?  Any help would be greatly appreciated.

Thanks in advance,

-brendan

Labels:
0 Helpful
2 Replies 2

Yudong Wu
Level 7
Level 7

‎05-24-2011 11:03 AM

This has to be done on your TACACS+ server. ASA just sends the authentication request to TACACS+ server no matter if it is for vpn access or Console/ssh access.

On TACACS+ server, it should be able to differentiate what kind of login service it is and then based on user group info to decide if the authentication is passed or rejected. Cisco ACS 5.x has this feature.

0 Helpful

brendancaulfield
Level 1
Level 1
In response to Yudong Wu

‎05-24-2011 11:45 AM

Thanks for your reply.  I understand this needs to be configured on the TACACS+ server - I was just hoping someone in the community might have experience with this type of setup or could point me in the right direction.  Based on some extensive searches it appears this seemingly simple setup is a bit elusive.

Thanks again for your response,

-brendan

0 Helpful
Customers Also Viewed These Support Documents