Multiple VPN Groups, Same ASA, Same ACS

Unanswered Question
Jun 23rd, 2009
User Badges:
  • Bronze, 100 points or more

I've searched through the forums a bit and there were several conversations that similar to what I was doing but I could not find any that were exact. Here is my scenario:

One ASA5520 as the Remote Access VPN head unit (IPSEC).

One Cisco ACS Server for VPN authentication as well as network device authentication for admins.

Network Device authenticaiton uses TACACS. Remote Access VPN uses RADIUS. I have a active directory group that is mapped to an NDG that VPN users authenticate with.

I have need of a new, separate VPN for consultants. I want to use a different tunnel group and IP address range so I can define downloadable ACL's based on the group - not the users.

Whe I try and map another NDG to a new AD group, that works. When I try and add the ASA's IP address as the requestor, I'm greeted with a message that I cannot add the same IP twice.

There has to be a way to do this with such a robust server...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Thu, 06/25/2009 - 06:06
User Badges:
  • Red, 2250 points or more

There is no need to add ASA again in aaa-clients section. Previous entry will take care of all the radius request coming from ASA.



Do rate helpful posts

Christopher Bell Thu, 06/25/2009 - 08:07
User Badges:
  • Bronze, 100 points or more

I'm not really sure that answers my question... how do I authenticate to the separate AD group then? I want touse downloadable ACL's to the specific consultant group.


This Discussion