IPSec VPN Authentication and tac_plus

brendancaulfield · ‎05-24-2011

All,

I need some advice. I have a lot of users who have home installations sitting behind ASA5505s which are are connected via IPSec VPN to our main office. As of now, the remote ASAs authenticate via LOCAL username and password. I would like to set this up so they authenticate against the same tac_plus instance we are running to allow console/SSH access. Here is the catch, I don't want the user accounts to be able to gain console access. Does anyone have a reference point for the user/group stanzas in the tac_plus config which would allow IPSec authentication but not console access? Any help would be greatly appreciated.

Thanks in advance,

-brendan

Yudong Wu · ‎05-24-2011

This has to be done on your TACACS+ server. ASA just sends the authentication request to TACACS+ server no matter if it is for vpn access or Console/ssh access.

On TACACS+ server, it should be able to differentiate what kind of login service it is and then based on user group info to decide if the authentication is passed or rejected. Cisco ACS 5.x has this feature.

brendancaulfield · ‎05-24-2011

Thanks for your reply. I understand this needs to be configured on the TACACS+ server - I was just hoping someone in the community might have experience with this type of setup or could point me in the right direction. Based on some extensive searches it appears this seemingly simple setup is a bit elusive.

Thanks again for your response,

-brendan