Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
4
Helpful
1
Replies

ACS 3.3 Allowing Tacacs authentication for a group but denying Radius Login

dodgybrother
Level 1
Level 1

‎05-01-2006 10:01 PM - edited ‎03-10-2019 02:33 PM

Hi all,

I have a ACS box with multiple Windows Group mappings. I have 3 TACACS groups configured for separate networks and a Group set up for Radius authentication.

Put simply my problem is that anyone defined in the Tacacs groups can authenticate over our VPN via the Radius. Any assistance in stopping this would be much appreciated.

Labels:
0 Helpful
1 Reply 1

darpotter
Level 5
Level 5

‎05-02-2006 06:10 AM

Hi

The simplest way would be to define a dial-based NAR to deny access to the VPN device inside each of the T+ groups. Users would still authenticate, but be denied access due to the filter.

Since its a dial (aka CLID/DNIS) filter it would not prevent the same users doing a T+ login (via telnet) to the VPN device itself.

Would be nice to say "Group XYZ doesnt support RADIUS"

Darran

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents