Solved

Can TACACS+ "read" VPN groups from a Cisco ASA 5510 appliance?

Posted on 2007-12-03
2
944 Views
Last Modified: 2008-02-22
Hello Everyone,

I have an issue here. I have created various ASA 5510 VPN groups with access to different subnets within our internal network. The filters work fine, but now I am concerned that users with access to more subnets will simply provide his PCF to someone who should not have access to that subnet. Since we have a TACACS server, I was wondering if we could bind users to specific VPN groups, so that if they attempt to access the VPN from an unauthorized VPN group, access will fail. In other words, can TACACS "read" the VPN group information from the ASA, and use that for authentication in addition to user credentials.
0
Comment
Question by:ebreiss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20399745
I don't know if it can do what your asking, but couldn't you do what you're wanting to do with individual user-level filtering?  The ASA can do that.  In other words, rather than applying an ACL to a group policy that gets inherited by user accounts, just apply the individual ACL's to the user accounts directly.  Would that not achieve the effect you're looking for?
0
 

Author Comment

by:ebreiss
ID: 20400205
Batry,

We were thinking about user level filtering, but we would rather use groups. Does user level filtering work along side e.g. RADIUS? In other words, we authenticate to a RADIUS server (actually an RSA server). Can we authenticate users in the local database to the RADIUS server? If that is the only way to do this, I guess we have to.

BTW, thanks for the reply.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN problems 4 68
RDP- Windows 7 home Premium to 7 Pro via VPN 10 39
Cisco Switch VLAN voice and Data 2 47
Objects in Cisco ASA 2 5
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question