Multiple VPN Groups, Same ASA, Same ACS

Christopher Bell · ‎06-23-2009

I've searched through the forums a bit and there were several conversations that similar to what I was doing but I could not find any that were exact. Here is my scenario:

One ASA5520 as the Remote Access VPN head unit (IPSEC).

One Cisco ACS Server for VPN authentication as well as network device authentication for admins.

Network Device authenticaiton uses TACACS. Remote Access VPN uses RADIUS. I have a active directory group that is mapped to an NDG that VPN users authenticate with.

I have need of a new, separate VPN for consultants. I want to use a different tunnel group and IP address range so I can define downloadable ACL's based on the group - not the users.

Whe I try and map another NDG to a new AD group, that works. When I try and add the ASA's IP address as the requestor, I'm greeted with a message that I cannot add the same IP twice.

There has to be a way to do this with such a robust server...

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Jagdeep Gambhir · ‎06-25-2009

There is no need to add ASA again in aaa-clients section. Previous entry will take care of all the radius request coming from ASA.

Regards,

~JG

Do rate helpful posts

Christopher Bell · ‎06-25-2009

I'm not really sure that answers my question... how do I authenticate to the separate AD group then? I want touse downloadable ACL's to the specific consultant group.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.