Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
0
Helpful
4
Replies

separating ASA webauth from ASA admin auth in CSACS

slug420
Level 1
Level 1

‎05-01-2009 10:24 AM - edited ‎03-10-2019 04:28 PM

Just like the title says....

We use TACACS for admin authentication to our ASAs. I now want to use the webauth capability of the ASA to force a "captive portal" authentication against tacacs to get to various resources.

So I configured the webauth thing on the ASA and I can authenticate no problem....but I am not sure how to add people to TACACS that I want to be able to access the website via webauth but I do not want to be able to authenticate to the firewall.

Also how would I have the ASA authenticate groupA users to get to websiteA and authenticate groupBusers to get to websiteB while not having any of the groupB users get to websiteA and vice versa?

thanks!

Labels:
0 Helpful
4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

‎05-01-2009 11:22 AM

For your 1st issue you can use NAR's feature. In this you need to use IP based network access restriction. Here you deny access to ASA.

Now these users will not able to telnet, ssh or https to firewall but will be able to authenticate to portal.

http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

For 2nd issue you can try Downloadable ACL.

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful

slug420
Level 1
Level 1
In response to Jagdeep Gambhir

‎05-04-2009 11:02 AM

"For your 1st issue you can use NAR's feature. In this you need to use IP based network access restriction. Here you deny access to ASA.

Now these users will not able to telnet, ssh or https to firewall but will be able to authenticate to portal. "

Won't they still be able to ssh to switches and things if I do this? If I am creating a Deny rule wouldnt I have to create one for every device I want them to not connect to? For example all of our switches and routers?

Is there a way to provide this access using a single permit rule? Denying every device individually does not scale well and I just tried a NAR to deny access from all devices on all ports and that didnt work...I was unable to authenticate then.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to slug420

‎05-04-2009 04:20 PM

You can use permit option instead of deny. You can create one fake or null device in acs network configuration and give permit access in NAR for that fake device.

Now user can only access that device listed in NAR and rest everything would be denied, just like ACL.

Use * for port number and ip address.

Regards,

~JG

Do rate helpful posts

0 Helpful

slug420
Level 1
Level 1
In response to Jagdeep Gambhir

‎05-05-2009 04:03 AM

I just tried this but I cannot authenticate via webauth with this configuration....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents