Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
10
Helpful
4
Replies

ACS 3.3, downloadable ACLs

wilson_1234_2
Level 3
Level 3

‎07-08-2009 06:02 AM - edited ‎03-10-2019 04:34 PM

I am trying to configure downloadable ACLs for the users and groups that will be accessing our network via RA VPN on an ASA5510.

Currently everything is working with the exception of the downloadable ACL component restricting the traffic.

THe RA config has been in place for a while using Cisco client through the ASA.

I have the ACL configured per the syntax shown, and the ACL is applied to a test user, but I can still get to everything beyond what the ACL is restricting

The tunnel groups are configured to use TACACS and not RADIUS for authentication.

I read that one of the requirements was that the authentication had to be RADIUS to use the downloadable ACL with the ACS.

Would it be easier to restrict the groups directly in the ASA appliance in the RA tunnel config?

Labels:
0 Helpful
4 Replies 4

srue
Level 7
Level 7

‎07-08-2009 09:30 AM

yes, you need to use Radius.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml

in your case, you can either switch to radius or use the vpn-filter feature on the ASA - whichever one is best suited to your environment.

wilson_1234_2
Level 3
Level 3
In response to srue

‎07-08-2009 12:23 PM

Thanks for the reply,

Is there any benefit to using TACACS over RADIUS?

Also, is there any way to log the RA VPN connections with the ASA?

Like accounting for example?

I would like to be able to look at the time and duration of a RA VPN tunnel via a log file.

We are doing Accounting and Administration of our network devices.

We had 3005 VPN Concentrators and you could paruse log files that showed connection times and the duration of the connection.

It seems you can only see the successful log in via TACACS for the RA VPN users.

0 Helpful

wilson_1234_2
Level 3
Level 3
In response to srue

‎07-08-2009 12:25 PM

Thanks for the reply,

Is there any benefit to using TACACS over RADIUS?

Also, is there any way to log the RA VPN connections with the ASA?

Like accounting for example?

I would like to be able to look at the time and duration of a RA VPN tunnel via a log file.

We are doing Accounting and Administration of our network devices.

We had 3005 VPN Concentrators and you could paruse log files that showed connection times and the duration of the connection.

It seems you can only see the successful log in via TACACS for the RA VPN users.

0 Helpful

srue
Level 7
Level 7
In response to wilson_1234_2

‎07-10-2009 11:52 AM

here are the asa/pix syslog ID's of relevant start/stop messages for remote ipsec vpn sessions.

713120

713050

113019

i'm not sure off hand what kind of accounting can be done through typical AAA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents