Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ACS 5.3 and TACACS+ authentication from VPN

Hi all,

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether. Is there a better way to do this?


ACS 5.3 and TACACS+ authentication from VPN

I don't understand your exact requirements. If you configure a "Shell Profile" to "deny access" then when a user authentication matches that "Shell Profile" that user won't be allowed into ASA.

New Member

Re: ACS 5.3 and TACACS+ authentication from VPN

Shell access simply restricts the commands you are allowed to use but does not deny the actual login into the ASA. The actual profile to prohibit someone from logging into the ASA also stops them from authenticating with their VPN because both requests source the same way. After speaking with TAC my mistake was combining the two. The solution is to have VPN authentications come via Radius and device authentication TACACS+.

CreatePlease to create content