Solved

Can TACACS+ "read" VPN groups from a Cisco ASA 5510 appliance?

Posted on 2007-12-03
2
943 Views
Last Modified: 2008-02-22
Hello Everyone,

I have an issue here. I have created various ASA 5510 VPN groups with access to different subnets within our internal network. The filters work fine, but now I am concerned that users with access to more subnets will simply provide his PCF to someone who should not have access to that subnet. Since we have a TACACS server, I was wondering if we could bind users to specific VPN groups, so that if they attempt to access the VPN from an unauthorized VPN group, access will fail. In other words, can TACACS "read" the VPN group information from the ASA, and use that for authentication in addition to user credentials.
0
Comment
Question by:ebreiss
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20399745
I don't know if it can do what your asking, but couldn't you do what you're wanting to do with individual user-level filtering?  The ASA can do that.  In other words, rather than applying an ACL to a group policy that gets inherited by user accounts, just apply the individual ACL's to the user accounts directly.  Would that not achieve the effect you're looking for?
0
 

Author Comment

by:ebreiss
ID: 20400205
Batry,

We were thinking about user level filtering, but we would rather use groups. Does user level filtering work along side e.g. RADIUS? In other words, we authenticate to a RADIUS server (actually an RSA server). Can we authenticate users in the local database to the RADIUS server? If that is the only way to do this, I guess we have to.

BTW, thanks for the reply.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question