02-25-2009 09:02 AM
I have 2 tunnel-groups:
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool VPN_Pool
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy test
authorization-required
tunnel-group test ipsec-attributes
pre-shared-key *
and
tunnel-group Users type ipsec-ra
tunnel-group Users general-attributes
address-pool VPN_Pool
default-group-policy Users
tunnel-group Users ipsec-attributes
pre-shared-key *
Usaers is the production vpn access group, it uses the LOCAL database for authentication and most important for this question - it is working well.
test as you can guess is a test group that was created back in the time that I configured ASA5505 for the first time. it is also working.
both groups use the same LACAL database BUT as you can see the Users group doesn't have anything to show it.
I have to change the authentication from LOCAL to RADIUS (which I've tested from that ASA and working fine). I want to start by testing the test group and if it's all good - apply on the Users group.
how should I do it?
how do I make RADIUS primary authentication source with fall back to the LOCAL if RADIUS is down?
Solved! Go to Solution.
02-26-2009 08:44 AM
You would go into your tunnel group settings and change the settings accordingly like this:
tunnel-group test general-attributes
authentication-server group
This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.
02-26-2009 08:44 AM
You would go into your tunnel group settings and change the settings accordingly like this:
tunnel-group test general-attributes
authentication-server group
This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.
02-26-2009 09:06 AM
currently my LOCAL apply different privilege levels. when switching to IAS\AD will I still have a way to enforce different privilege levels?
02-26-2009 09:16 AM
Privilege as in privilege levels?
02-26-2009 09:18 AM
yes
1 for non-admin users who require vpn access only
15 for admin who require console management access in addition for their vpn access
02-26-2009 09:22 AM
OK, Privilege level is not read when using the vpn connection, and since the only thing you are changing of authentication method is the vpn client access and not the Console Access (SSH, TELNET CONSOLE...) you don't need to work the privilege levels at all, unless you do require that, in which case privilege levels will not be read as a normal IOS device, take a look at the following:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397
02-26-2009 09:30 AM
this is for v8.0(2) and later. I'm running ASA5505 v7
does all the above apply to PIX\ASA only or any switch? (3560, 2960 and older devices)?
02-26-2009 09:38 AM
This only applies for ASA/PIX devices and only for version 8.X 7.X does not have this features.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide