vpn authentication

Answered Question

I have 2 tunnel-groups:

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool VPN_Pool

authorization-server-group LOCAL

authorization-server-group (inside) LOCAL

authorization-server-group (outside) LOCAL

default-group-policy test

authorization-required

tunnel-group test ipsec-attributes

pre-shared-key *


and


tunnel-group Users type ipsec-ra

tunnel-group Users general-attributes

address-pool VPN_Pool

default-group-policy Users

tunnel-group Users ipsec-attributes

pre-shared-key *


Usaers is the production vpn access group, it uses the LOCAL database for authentication and most important for this question - it is working well.


test as you can guess is a test group that was created back in the time that I configured ASA5505 for the first time. it is also working.


both groups use the same LACAL database BUT as you can see the Users group doesn't have anything to show it.

I have to change the authentication from LOCAL to RADIUS (which I've tested from that ASA and working fine). I want to start by testing the test group and if it's all good - apply on the Users group.

how should I do it?

how do I make RADIUS primary authentication source with fall back to the LOCAL if RADIUS is down?

Correct Answer by Ivan Martinon about 8 years 1 month ago

You would go into your tunnel group settings and change the settings accordingly like this:


tunnel-group test general-attributes

authentication-server group LOCAL


This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Thu, 02/26/2009 - 08:44
User Badges:
  • Cisco Employee,

You would go into your tunnel group settings and change the settings accordingly like this:


tunnel-group test general-attributes

authentication-server group LOCAL


This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.

Ivan Martinon Thu, 02/26/2009 - 09:22
User Badges:
  • Cisco Employee,

OK, Privilege level is not read when using the vpn connection, and since the only thing you are changing of authentication method is the vpn client access and not the Console Access (SSH, TELNET CONSOLE...) you don't need to work the privilege levels at all, unless you do require that, in which case privilege levels will not be read as a normal IOS device, take a look at the following:


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397

Ivan Martinon Thu, 02/26/2009 - 09:38
User Badges:
  • Cisco Employee,

This only applies for ASA/PIX devices and only for version 8.X 7.X does not have this features.

Actions

This Discussion