Does ACS have any way of saying "If a user is authenticating to deviceA, use externalDB1 for the password, but if they are authenticating to deviceB, then use externalDB2"?
An example of how this is practical is that our security policy dictates that users have a seperate password for their VPN account vs their AD account. Idea being if their VPN password is compromised, they can't log into any other machines or if a users AD password is compromised, it cant be used for remote access. The users authenticate to ACS via RADIUS from the VPN device, what if that user needs to authenticate to a router as well via TACACS, which also talks to ACS... and their permitted to use their LDAP / AD password to access the routers etc. I'd like requests from the routers for user A to use LDAP, but requests from the VPN device for user A to use a local ACS username / Password.
The only way around this that I know of is to use a seperate username for VPN access, like userAvpn, and have a local username / pw in ACS for userAvpn. I want to keep as much authentication centralized as I can, it makes logging and management easier, but ACS doesn't seem to want to play nice...
After applying patch 13 to our ACS SE 4.2 we found the enhancement for the need to select the database of tacacs at a device level was added (CSCsq58224). Therefore for a NDG we can use a default method to authenticate the users for all devices and then for device A within that same NDG select an external db (such as Windows) to authenticate the users.
The section 'Tacacs+ login/enable authentication' now appears within the AAA client configuration after applying the patch.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...