I have an ACS 4.2 for AAA. Right now i'm using this server to authenticate users that login to all my cisco devices (routers, switches, ASAs, APs), and also to authenticate users for Remote Access VPN in ASA.
The problem I have is that the VPN users that are on a different group in ACS are able to authenticate to login to administer the network devices and this is a security issue. I need the vpn users to only be able to authenticate to the vpn and not be able to authenticate to login to the network devices.
Any ideas?? is it possible to separate the radius access-requests from vpn and from login?
Yes this is possible to restrict your VPN users only to VPN-ASA device. If you want that they should not have telnet/ssh/http access to other devices in the network then you may go for NAR (Network access restriction).
The only thing you need to know what are we getting in calling-station-id. I believe it is an ip address. You may check this reports and activity > passed authentication for VPN user.
Here are the steps:
On ACS > Go to the VPN group > Edit > look for NAR > Under Ip based NAR > set the action to "DENIED" > select the devices (router/switches) you want to deny access for > put * for the port and address field > hit submit +restart.
Doing that users will able to connect via vpn and unable to do ssh and telnet.
I've attached the screen shot of the same( I did this for 6509 switch)
Plz rate helpful posts-