Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 3.3 Allowing Tacacs authentication for a group but denying Radius Login

Hi all,

I have a ACS box with multiple Windows Group mappings. I have 3 TACACS groups configured for separate networks and a Group set up for Radius authentication.

Put simply my problem is that anyone defined in the Tacacs groups can authenticate over our VPN via the Radius. Any assistance in stopping this would be much appreciated.

1 REPLY
Silver

Re: ACS 3.3 Allowing Tacacs authentication for a group but denyi

Hi

The simplest way would be to define a dial-based NAR to deny access to the VPN device inside each of the T+ groups. Users would still authenticate, but be denied access due to the filter.

Since its a dial (aka CLID/DNIS) filter it would not prevent the same users doing a T+ login (via telnet) to the VPN device itself.

Would be nice to say "Group XYZ doesnt support RADIUS"

Darran

146
Views
4
Helpful
1
Replies
CreatePlease to create content