12-18-2008 06:20 AM - edited 03-10-2019 04:14 PM
Greetings-
Is it possible to force AAA uauth queries via attached users behind a router doing L2L with an ASA - where the ACS server is behind the ASA? This would be used to control Internet access for hosts behind the router - using split-tunnel and going out their own ISP for Internet. Sorry if this sounds a bit convoluted.
12-18-2008 09:35 AM
Yes, this is possible. I am not sure I am really following what you are authenticating, but it is possible to send AAA requests across an L2L. There is a known bug in 8.0 - 8.0(3) which prevents this. Make sure you are running 7.2x code or 8.0(4). In order for this to work, you will need to define your AAA servers, and make sure that they are in your ACL that defines your crypto map, so that the router or ASA knows where to send the request. Reply if you need a config example (and let me know if you need the ASA config or the router IOS config). Attaching your config(s) would be helpful, along with your AAA server information, so that I can just put in what changes need to be made.
*Please rate if helpful.
12-18-2008 09:59 AM
Hi Mike,
This is supposition for now. To clarify, a user behind the router opens a browser to surf the web. He is using the local ISP for Internet (split-tunnel). I want to have the ability to force him to authenticate before being allowed to access the Internet - otherwise anyone behind the router has open access to the Internet.
If you sya that's possible - then I can upload configs. for your assitance. Thanks.
12-18-2008 11:14 AM
assuming that your VPN is already working. Here
is how you do it on the router. Assuming that
F0/0 is the Internet facing interface on the
router and F0/1 is the "internal" facing
interface on the router. Also assume that the
AAA server is residing the ASA firewall:
ip tacacs-source interface F1/0
tacacs-server host x.x.x.x key 123456
that will allow the router to source AAA
traffics from interface F1/0 thus going across
the VPN tunnel.
Easy right?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: