09-22-2008 12:38 AM - edited 03-11-2019 06:47 AM
I have RADIUS authentication to an external RADIUS server setup for my Cisco ASA.
However I would like to differentiate between VPN login users and SSH, ASDM users etc.
At present radius allows either type of users access to any service.
But in reality I would like a restricted VPN list to access the Client VPN and another even more restricted list to access SSH and ASDM services.
I thought it would be a radius attribute perhaps but i'm not sure.
09-22-2008 06:33 AM
Hi, you have to enable group-lock in VPN configuration at ASA. And make the RADIUS returno the name of vpn group policy of the user with the attribute called Radius-Class.
My suggestion is, returning any non existing name in the group that should connect to SSH or Telnet
09-26-2008 12:34 AM
Thanks for the post.
I'm still not sure how to get this working? And there must be a simple way?
I can't be the only person who has ever wanted to use RADIUS for both SSH and VPN logons?
Thanks.
02-15-2010 02:08 PM
Sorry for resurrecting such an old thread, but did you ever find a way to do this? I'm running into the exact same situation and would love to know if/how you got it working.
Thanks in advance!
02-16-2010 05:20 PM
I would use two radius servers. One for users and the other for device management. That way, any configuration mistakes do not expose your devices. I would only use the same server if i am using different protocols( tacacs for devices and radius for users).
Thanks
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide