tacacs+ vpn authorization

Unanswered Question
Mar 30th, 2009

I am somewhat familiar with radius/tacacs authentication for VPNs on ASA firewalls(and somewhat on IOS router based VPN). What have been able to do using MS IAS radius is have radius return the group policy name for a given user based on group membership. What I am wondering is if the policy itself can be stored in MS IAS, or, more importantly, if the group name/parameters can be specificed using cisco TACACS+ instead of radius for vpn authentication/authorization.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 03/31/2009 - 11:03

This can only be achieved by using radius as the protocols since it is more flexible with the attributes you can use, if you had an ACS, then you would not need to define specific values as ACS has the specific VPN attributes needed for the external group authorization. There is an ldap vpn-3000 schema that you can import to your AD to define this specific vpn-3000 attriubutes that are used, but I am not sure that an external radius authorization setup would support other than Radius.


This Discussion