TACACS authentication over the VPN tunnel - How To?

Unanswered Question
May 8th, 2008

Hi all,

There are multiple examples on how to setup TACACS autentication/authorization on the PIXs, but they all seem to use local ACS (on the inside interface of the PIX). What if we have ACS on a remote site and have to send AAA requests across the VPN tunnel? Is this supported by Cisco? Should I still use: "aaa-server TACACS (inside)..." or is it considered to be on an outside interface? Any examples out there? Same question for the ASA appliance (8.0(3)).

THank you,

Evgueni

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (4 ratings)
Loading.
smahbub Wed, 05/14/2008 - 08:08

Authentication determines who the user is and authorization determines what the user can do. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.

Refer the following urls for the configuration guide and example on authentication/authorization configs:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/extsvr.html

For more info on "aaa srever TACACS" COMMAND refer:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1070086

evguenipesliak Fri, 05/16/2008 - 08:02

Thank you for the reply, Smahbub

However the question was about one particular scenario, when the ACS server (TACACS+) is on the opposite side of the VPN tunnel. How do I configure the ASA in that case? Is it supported by Cisco? I do not want to send AAA traffic over Internet, but via the VPN... Do I use (inside) or (outside) command in that case?

Regards,

Evgueni

I dont think this can be done, I have been trying to accomplish the same thing on both 7.x ASA code and 8.x ASA code. I have opened a TAC and was told this isnt possible. I have also asked the question to our Cisco Advanced Services Team and other that I know that work for Cisco, including 2 CCIE route/switch and a CCIE security. I also want to send dhcp requests back across the VPN tunnel and this is also not possible. I have to run the dhcp server on the ASA, which makes it more difficult to administer.

evguenipesliak Tue, 05/20/2008 - 05:10

Thank you so much, Mike

Would appreciate greatly if you could share your findings with us.

alibowluk Thu, 05/29/2008 - 03:09

Hi there,

i'm currently encountering this exact same issue. I'm running 8.0(3) code, and can't get the remote end to talk to out ACS Server, even though a ping sourced from the inside interface works. Seems silly this setup is possible between an ASA and a router but not an ASA to ASA setup. I'm intrigued to know your findings.

i'm waiting with bated breath :-)

Ali

richardburford Wed, 06/11/2008 - 02:00

Did you ever get this working? I am encountering exactly the same issue with 8.0(3) code.

Our 7.2 ASA's work fine with exactly the same config.

Is there a bug reference for this issue?

jeff_groesbeck Thu, 09/04/2008 - 11:57

Hello. I'd be curious to know if anyone has tried this with 8.0(4) and if it is fixed. I am having this problem as well and have used RADIUS as a workaround in the meantime. I can't perform command authorization this way, but I do get authentication and it works fine.

Thank you,

Jeff

evguenipesliak Thu, 09/04/2008 - 12:02

Hi Jeff,

Can you share your RADIUS setup? Which interface you use - inside or outside? Surprised to hear that it works for RADIUS - thought it does not work for both.

Thanks,

Evgueni

jeff_groesbeck Thu, 09/04/2008 - 12:12

Hello Evgueni,

The configuration I'm using is on an ASA with 8.0(3) code. Basically, the AAA setup is the same as it always is (of course, RADIUS in this case because TACACS doesn't work) and I am using the 'inside' interface as the source interface. I am also using the management-access inside command to make sure that it will communicate using the inside address over the tunnel. I'm pretty sure this command has to be there for this to work (at least I think it used to be).

I have this working on an ASA right now and it works fine. Authentication only.

Thanks,

Jeff

jeff_groesbeck Fri, 09/05/2008 - 09:15

Hello again.

I opened a case on this issue to see if it was resolved in 8.0(4). This issue regarding TACACS over a VPN tunnel has a bug ID (CSCsk08454) and is resolved in 8.0(4). I have not tested this yet, but it is in the release notes as well. I also looked the bug up and found a workaround as well. I have not tried this either, but it is listed in the bug tracker. Apparently if you enable reverse route injection for the L2L tunnel, tacacs will work successfully. Again, I haven't tested this, but it's in the notes.

Thank you,

Jeff

richardburford Mon, 09/08/2008 - 00:23

I had this exact problem with 8.0(3). I upgraded to 8.0(4) reloaded and logged straight in using TACACS.

8.0(4) should completely resolve this issue for you

grimish.patel Tue, 01/18/2011 - 11:53

Hi,

Have a ASA 5510 running 8.2(4) code.  I have a site-to-site VPN of which this ASA is the remote end.  I'm trying to tunnel NTP, and Authentication traffic through the VPN tunnel but SSH in the the clear so both traffic types terminate and originate from the outside interfaces.  The authentication method is TACACS at the moment and I've specified the outside interface for this.

So far I can't seem to get this working; any ideas?

grimish.patel Sat, 09/29/2012 - 08:49

Update - got this working, by simply upgrading to v8.2(5).  One thing left.  How do I authenticate from a standby ASA acrossing the active VPN (I can't see how this is done, unless somehow the inside interfaces are used)

Actions

This Discussion