Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I have a PIX 515 and I am supporting many users with the VPN Client v4.0.2. I have many different vpngroups configured for various reasons. I would like to utilize AAA for some of the groups but not others. Is this possible?
Yes this is possible. There are several methods of Radius/Tacacs. I use a Cisco ACS server and define my groups in the ACS server with the same as the vpn gorups. Those users on our win2k network are passed from the ACS server to windows Active Directory fjor their authentication. Those users you don't want leave as local users. My suggestion would be to set up one point of administration and that would be the ACS server. There you can define and manage all users both corporate and vendor/remote access.
Yes it is working, however I send everyone desiring VPN Access through the Cisco ACS server and define access resttrictions on the network using Network Access Restriction (NAR) groups defined on the ACS server.
No that is not correct. I simply build the vpn groups based on the acs groups and allow access to devices based on ACS. The people that belong to our enterprise are passed from ACS to Windows ADS with no problem.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
