?
Solved

Can TACACS+ "read" VPN groups from a Cisco ASA 5510 appliance?

Posted on 2007-12-03
2
Medium Priority
?
949 Views
Last Modified: 2008-02-22
Hello Everyone,

I have an issue here. I have created various ASA 5510 VPN groups with access to different subnets within our internal network. The filters work fine, but now I am concerned that users with access to more subnets will simply provide his PCF to someone who should not have access to that subnet. Since we have a TACACS server, I was wondering if we could bind users to specific VPN groups, so that if they attempt to access the VPN from an unauthorized VPN group, access will fail. In other words, can TACACS "read" the VPN group information from the ASA, and use that for authentication in addition to user credentials.
0
Comment
Question by:ebreiss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 750 total points
ID: 20399745
I don't know if it can do what your asking, but couldn't you do what you're wanting to do with individual user-level filtering?  The ASA can do that.  In other words, rather than applying an ACL to a group policy that gets inherited by user accounts, just apply the individual ACL's to the user accounts directly.  Would that not achieve the effect you're looking for?
0
 

Author Comment

by:ebreiss
ID: 20400205
Batry,

We were thinking about user level filtering, but we would rather use groups. Does user level filtering work along side e.g. RADIUS? In other words, we authenticate to a RADIUS server (actually an RSA server). Can we authenticate users in the local database to the RADIUS server? If that is the only way to do this, I guess we have to.

BTW, thanks for the reply.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question