Solved

Can TACACS+ "read" VPN groups from a Cisco ASA 5510 appliance?

Posted on 2007-12-03
2
945 Views
Last Modified: 2008-02-22
Hello Everyone,

I have an issue here. I have created various ASA 5510 VPN groups with access to different subnets within our internal network. The filters work fine, but now I am concerned that users with access to more subnets will simply provide his PCF to someone who should not have access to that subnet. Since we have a TACACS server, I was wondering if we could bind users to specific VPN groups, so that if they attempt to access the VPN from an unauthorized VPN group, access will fail. In other words, can TACACS "read" the VPN group information from the ASA, and use that for authentication in addition to user credentials.
0
Comment
Question by:ebreiss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20399745
I don't know if it can do what your asking, but couldn't you do what you're wanting to do with individual user-level filtering?  The ASA can do that.  In other words, rather than applying an ACL to a group policy that gets inherited by user accounts, just apply the individual ACL's to the user accounts directly.  Would that not achieve the effect you're looking for?
0
 

Author Comment

by:ebreiss
ID: 20400205
Batry,

We were thinking about user level filtering, but we would rather use groups. Does user level filtering work along side e.g. RADIUS? In other words, we authenticate to a RADIUS server (actually an RSA server). Can we authenticate users in the local database to the RADIUS server? If that is the only way to do this, I guess we have to.

BTW, thanks for the reply.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question