Can TACACS+ "read" VPN groups from a Cisco ASA 5510 appliance?

Posted on 2007-12-03
Medium Priority
Last Modified: 2008-02-22
Hello Everyone,

I have an issue here. I have created various ASA 5510 VPN groups with access to different subnets within our internal network. The filters work fine, but now I am concerned that users with access to more subnets will simply provide his PCF to someone who should not have access to that subnet. Since we have a TACACS server, I was wondering if we could bind users to specific VPN groups, so that if they attempt to access the VPN from an unauthorized VPN group, access will fail. In other words, can TACACS "read" the VPN group information from the ASA, and use that for authentication in addition to user credentials.
Question by:ebreiss
LVL 28

Accepted Solution

batry_boy earned 750 total points
ID: 20399745
I don't know if it can do what your asking, but couldn't you do what you're wanting to do with individual user-level filtering?  The ASA can do that.  In other words, rather than applying an ACL to a group policy that gets inherited by user accounts, just apply the individual ACL's to the user accounts directly.  Would that not achieve the effect you're looking for?

Author Comment

ID: 20400205

We were thinking about user level filtering, but we would rather use groups. Does user level filtering work along side e.g. RADIUS? In other words, we authenticate to a RADIUS server (actually an RSA server). Can we authenticate users in the local database to the RADIUS server? If that is the only way to do this, I guess we have to.

BTW, thanks for the reply.

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question