RADIUS on ASA

mikedelafield · ‎09-22-2008

I have RADIUS authentication to an external RADIUS server setup for my Cisco ASA.

However I would like to differentiate between VPN login users and SSH, ASDM users etc.

At present radius allows either type of users access to any service.

But in reality I would like a restricted VPN list to access the Client VPN and another even more restricted list to access SSH and ASDM services.

I thought it would be a radius attribute perhaps but i'm not sure.

guibarati · ‎09-22-2008

Hi, you have to enable group-lock in VPN configuration at ASA. And make the RADIUS returno the name of vpn group policy of the user with the attribute called Radius-Class.

My suggestion is, returning any non existing name in the group that should connect to SSH or Telnet

mikedelafield · ‎09-26-2008

Thanks for the post.

I'm still not sure how to get this working? And there must be a simple way?

I can't be the only person who has ever wanted to use RADIUS for both SSH and VPN logons?

Thanks.

corey · ‎02-15-2010

Sorry for resurrecting such an old thread, but did you ever find a way to do this? I'm running into the exact same situation and would love to know if/how you got it working.

Thanks in advance!

johnd2310 · ‎02-16-2010

I would use two radius servers. One for users and the other for device management. That way, any configuration mistakes do not expose your devices. I would only use the same server if i am using different protocols( tacacs for devices and radius for users).

Thanks

John

**Please rate posts you find helpful**