Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
3
Replies

Force AAA uauth across L2L

iholdings
Level 1
Level 1

‎12-18-2008 06:20 AM - edited ‎03-10-2019 04:14 PM

Greetings-

Is it possible to force AAA uauth queries via attached users behind a router doing L2L with an ASA - where the ACS server is behind the ASA? This would be used to control Internet access for hosts behind the router - using split-tunnel and going out their own ISP for Internet. Sorry if this sounds a bit convoluted.

Labels:
0 Helpful
3 Replies 3

mike.keller
Level 1
Level 1

‎12-18-2008 09:35 AM

Yes, this is possible. I am not sure I am really following what you are authenticating, but it is possible to send AAA requests across an L2L. There is a known bug in 8.0 - 8.0(3) which prevents this. Make sure you are running 7.2x code or 8.0(4). In order for this to work, you will need to define your AAA servers, and make sure that they are in your ACL that defines your crypto map, so that the router or ASA knows where to send the request. Reply if you need a config example (and let me know if you need the ASA config or the router IOS config). Attaching your config(s) would be helpful, along with your AAA server information, so that I can just put in what changes need to be made.

*Please rate if helpful.

0 Helpful

iholdings
Level 1
Level 1
In response to mike.keller

‎12-18-2008 09:59 AM

Hi Mike,

This is supposition for now. To clarify, a user behind the router opens a browser to surf the web. He is using the local ISP for Internet (split-tunnel). I want to have the ability to force him to authenticate before being allowed to access the Internet - otherwise anyone behind the router has open access to the Internet.

If you sya that's possible - then I can upload configs. for your assitance. Thanks.

0 Helpful

cisco24x7
Level 6
Level 6
In response to iholdings

‎12-18-2008 11:14 AM

assuming that your VPN is already working. Here

is how you do it on the router. Assuming that

F0/0 is the Internet facing interface on the

router and F0/1 is the "internal" facing

interface on the router. Also assume that the

AAA server is residing the ASA firewall:

ip tacacs-source interface F1/0

tacacs-server host x.x.x.x key 123456

that will allow the router to source AAA

traffics from interface F1/0 thus going across

the VPN tunnel.

Easy right?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents