Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

AAA, different groups, different roles, same equipment


I have a tricky authentication case to submit:

My users are on Active Directory in two groups

- VPN Users

- Network admins

The groups are mirrored (binded) in the ACS,

I have a PIX configured as a VPN server. Both the VPN users and the network admins are authenticated by ACS (Radius for VPN, and TACACS+ or Radius for admins).

I only want my network admins to be able to log on my PIX, and only my VPN users to be able to connect by VPN.

Here's the question:

how to you segregate those two groups so they only have access to whats permitted for them. NAR doesn't work because only the PIX does the requests....

Right now, as configured above, both groups can do everything.

thanks for you help



Re: AAA, different groups, different roles, same equipment


Try this. In the vpn group create an IP based NAR that doesnt permit anything. This will get applied to any TACACS+ device admin type authentication.

In the admin users group, create a cli/dnis NAR that doesnt allow anything.

Generally, IP NARs get applied to TACACS+ and DNIS/CLI to RADIUS.

In theory a T+ login from a vpn user will get filtered and a RADIUS login from an admin user will get filtered.

The possible stumbling point is how ACS applies the NAR to RADIUS VPN authentications. It uses some tortuous logic, but generally:

if ip address in authen rq ---> apply ip filter

if no ip address ----> apply dnis/cli filter

fingers x'd the vpn auths dont include framed-ip-address!!

Dont think even ACS v4.0 helps a huge amount, because network access profiles (NAP) are RADIUS only.


CreatePlease to create content