Radius authentication for console and vpn users

Unanswered Question
Feb 6th, 2008


I have a little problem...

I'm doing authentication on an ASA with Radius (auth.-ing against AD) for both console management authentication and remote access vpn users.

I can distinguish between different tunnel groups with the group-lock command and assign different groups to different tunnel groups.

The problem is that all vpn user groups can login with SSH or ASDM for management becouse there is no "group-lock"-like way to separate them.

Maybe you'll say - use a different Radius server for this purpose but it's not really a scalable solution and I'd rather not use it.



Gabriel Gearip

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
koltl-gold Wed, 02/06/2008 - 05:28

You can distinguish by editing attributes on Radius server (Radius policies in IAS).

VPN users: Framed-protocol

SSH: login (I'm not sure)


gabriel.gearip Wed, 02/06/2008 - 06:36

That didn't work...

Users can login trough SSH with both framed and login service-type attributes set.

dcarlton Wed, 02/06/2008 - 10:44

Using the adsm management tool, go to Configuration tab, Device management, Management access and exclude the address of the vpn users from management access.

gabriel.gearip Wed, 02/06/2008 - 12:03


The thing is that I myself administer the ASA trough VPN so I cannot exclude the VPN pool for management.



Gabriel Gearip

gabriel.gearip Thu, 02/07/2008 - 04:32

I guess I'll just use local users for management.

I can't believe though that there isn't any mechanism of distiguishing between the radius groups for local management...



dcarlton Thu, 02/07/2008 - 04:37

You could define a new aaa server group for management authentication and source it from the management interface and let you vpn users aaa authentication server group originate from an inside interface. Then on your radius server you could distinguish which group is trying to connect by ip address.


This Discussion