Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
5
Helpful
7
Replies

WEBVPN Authentication

Go to solution
Peter Valdes
Level 3
Level 3

‎08-20-2008 04:39 PM - edited ‎02-21-2020 10:21 AM

Hi,

We have setup SSLVPN on a Cisco 3800 to host VPN for IP Communicator (VOIP). IOS = IOS AdvanceSecurity 12.4-15(T) and Cisco Secure ACS v3.0

We have trialed an authentication method by using our existing TACACS+ server to host the AAA for the SSLVPN but the problem is the same user account can login to our routers using the same TACACS+.

Is there a way to permit SSLVPN auth for VOIP use and deny access to our routers using the same AAA server?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Premdeep Banga
Level 7
Level 7
In response to Peter Valdes

‎08-22-2008 04:40 AM

As your Tacacs+ is ACS, then you can make use of NAR (Network Access Restriction).

Users will be prompted for username/password if device is configured for the same, but they wont be able to telnet/ssh into the Network Device. But should be able to do VPN.

Please go through what attributes are evaluated for a NAR to be applied,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Regards,

Prem

Please rate if it helps!

View solution in original post

7 Replies 7

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-21-2008 03:34 AM

if u are giveing users a pool of IPs through the ssl vpn u can u se an ACL on the outside interface that allow only access to the voip network and deny anything els!

0 Helpful

Go to solution
Peter Valdes
Level 3
Level 3
In response to Marwan ALshawi

‎08-21-2008 03:14 PM

Hi, Thanks for the reply.

The part has been secured. The problem is when they are not using the VPN. Normal ADSL connection and if they know the public IP Address of one router, they can VTY/SSH to it using their TACACS+ account.

VTY has ACL already to only allow our internal network in. SSH is for outside use.

I should have included this on the first message to be more clearer.

Is there a setup on the TACACS+ to deny VTY/SSH use of the accounts?

Thanks

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to Peter Valdes

‎08-21-2008 08:27 PM

in this case you need to use AUth proxy if ur router include IOS firewall feature

this way u can spisify whay ports are allowed and use source and distination IPs.

0 Helpful

Go to solution
Premdeep Banga
Level 7
Level 7
In response to Peter Valdes

‎08-22-2008 04:40 AM

As your Tacacs+ is ACS, then you can make use of NAR (Network Access Restriction).

Users will be prompted for username/password if device is configured for the same, but they wont be able to telnet/ssh into the Network Device. But should be able to do VPN.

Please go through what attributes are evaluated for a NAR to be applied,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Regards,

Prem

Please rate if it helps!

Go to solution
Peter Valdes
Level 3
Level 3
In response to Premdeep Banga

‎08-22-2008 06:02 AM

Thanks. I will try this and let you know on the result.

Thanks again for your replies.

Peter

0 Helpful

Go to solution
Peter Valdes
Level 3
Level 3
In response to Peter Valdes

‎08-24-2008 07:44 PM

Hi,

Thanks for all your help. NAR works.

Cheers

Peter

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to Premdeep Banga

‎08-24-2008 07:47 PM

Prem this is 5+ from me :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents