ACS 3.3 Allowing Tacacs authentication for a group but denying Radius Login

Unanswered Question
May 1st, 2006
User Badges:

Hi all,


I have a ACS box with multiple Windows Group mappings. I have 3 TACACS groups configured for separate networks and a Group set up for Radius authentication.


Put simply my problem is that anyone defined in the Tacacs groups can authenticate over our VPN via the Radius. Any assistance in stopping this would be much appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
darpotter Tue, 05/02/2006 - 06:10
User Badges:
  • Silver, 250 points or more


Hi


The simplest way would be to define a dial-based NAR to deny access to the VPN device inside each of the T+ groups. Users would still authenticate, but be denied access due to the filter.


Since its a dial (aka CLID/DNIS) filter it would not prevent the same users doing a T+ login (via telnet) to the VPN device itself.


Would be nice to say "Group XYZ doesnt support RADIUS"


Darran

Actions

This Discussion