Unanswered Question
Sep 22nd, 2008

I have RADIUS authentication to an external RADIUS server setup for my Cisco ASA.

However I would like to differentiate between VPN login users and SSH, ASDM users etc.

At present radius allows either type of users access to any service.

But in reality I would like a restricted VPN list to access the Client VPN and another even more restricted list to access SSH and ASDM services.

I thought it would be a radius attribute perhaps but i'm not sure.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
guibarati Mon, 09/22/2008 - 06:33

Hi, you have to enable group-lock in VPN configuration at ASA. And make the RADIUS returno the name of vpn group policy of the user with the attribute called Radius-Class.

My suggestion is, returning any non existing name in the group that should connect to SSH or Telnet

mikedelafield Fri, 09/26/2008 - 00:34

Thanks for the post.

I'm still not sure how to get this working? And there must be a simple way?

I can't be the only person who has ever wanted to use RADIUS for both SSH and VPN logons?


corey@networks-... Mon, 02/15/2010 - 14:08

Sorry for resurrecting such an old thread, but did you ever find a way to do this?  I'm running into the exact same  situation and would love to know if/how you got it working.

Thanks  in advance!

johnd2310 Tue, 02/16/2010 - 17:20

I would use two radius servers. One for users and the other for device management. That way, any configuration mistakes do not expose your devices. I would only use the same server if i am using different protocols( tacacs for devices and radius for users).




This Discussion