Radius authentication for console and vpn users

gabriel.gearip · ‎02-06-2008

Hi,

I have a little problem...

I'm doing authentication on an ASA with Radius (auth.-ing against AD) for both console management authentication and remote access vpn users.

I can distinguish between different tunnel groups with the group-lock command and assign different groups to different tunnel groups.

The problem is that all vpn user groups can login with SSH or ASDM for management becouse there is no "group-lock"-like way to separate them.

Maybe you'll say - use a different Radius server for this purpose but it's not really a scalable solution and I'd rather not use it.

Thanks.

BR,

Gabriel Gearip

koltl-gold · ‎02-06-2008

You can distinguish by editing attributes on Radius server (Radius policies in IAS).

VPN users: Framed-protocol

SSH: login (I'm not sure)

Peter

gabriel.gearip · ‎02-06-2008

That didn't work...

Users can login trough SSH with both framed and login service-type attributes set.

dcarlton · ‎02-06-2008

Using the adsm management tool, go to Configuration tab, Device management, Management access and exclude the address of the vpn users from management access.

gabriel.gearip · ‎02-06-2008

Hi,

The thing is that I myself administer the ASA trough VPN so I cannot exclude the VPN pool for management.

Thanks.

BR,

Gabriel Gearip

gabriel.gearip · ‎02-07-2008

I guess I'll just use local users for management.

I can't believe though that there isn't any mechanism of distiguishing between the radius groups for local management...

Thanks.

Gabi.

dcarlton · ‎02-07-2008

You could define a new aaa server group for management authentication and source it from the management interface and let you vpn users aaa authentication server group originate from an inside interface. Then on your radius server you could distinguish which group is trying to connect by ip address.