Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
2
Replies

Radius authentication

Go to solution
niro
Level 1
Level 1

‎12-03-2008 09:18 AM

We're using Cisco ACS as a radius server which uses active directory to authenticate users. All ssh logins to the ASA authenticate to that radius server.

We also use that Radius server for VPN authentication...the problem I'm having is that since we have to enable the dial-in property in AD to allow people to VPN, they are also able to SSh into the firewall, although since we also use command authorization they are not able to actually do anything. The VPN users group in radius is seperate form the network managment users group...is there a property or anything I can set to disable users in the VPN Users group from being able to login to the firewall?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-03-2008 11:21 AM

Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-03-2008 11:21 AM

Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6

Hope that helps.

0 Helpful

Go to solution
niro
Level 1
Level 1
In response to Collin Clark

‎12-03-2008 11:35 AM

That worked perfectly, thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents