Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ADvice on TACACS+

Hi there

I am trying to implement the following scenario and would like to know the best solution for me,

We have 2 groups of Remote VPN users 1) support 2)Operations both using Cisco client vpn to log in remotely to our site

1)When members of the support group VPN in, I want our Cisco ASA to give them an IP range from Pool A of Ip addresses and I want them to be authenticated using TACACS and then after successful authentication they are redirected to or only have access to Server A

2)When members of the Operations group VPN in, I want our Cisco ASA to give them an IP range from Pool B of Ip addresses I want them to be authenticated using TACACS and then after successful authentication they are redirected to Server A AND have full access to Servers B,C,D etc

Is this possible? and if so how?


New Member

Re: ADvice on TACACS+


Yes this can be done.

This doc will be helpful in configuring the ASA for VPN:

On the ACS you create a 2 user groups and link them to their appropriate LDAP/Active Directory groups. Create a downloadable IP ACL on the ACS to DENY SUPPORT group access to servers B,C and D and then the OPERATIONS group will have access to all servers WITHOUT an IP ACL.

Here is a link to downloadable ACL's.

I'm making the assumption that you somewhat understand these features and configurations of these devices. I can elaborate more if needed later on. There are a couple of ways to make your scenario work but this is the first one that comes to mind.

Radius could be used to lock users into their appropriate groups as well.

I think its the same for an ASA as for the 3000 concentrator.




Re: ADvice on TACACS+

I have a different philosophy and I call it:

Keep It Simple Stupid (KISS).

I would do the following:

Place your ASA VPN device behind a both outside

and interface behind the firewall,

Setup VPN with two groups, VPN and NetOps,

and use Radius to lock users into appropriate

groups. VPN will get ip pool VPN_pool and

NetOps will get VPN_NetOps.

Create rule on the firewall to allow

appropriate to access resources based on IP


This way it is much simpler than setting up

download ACL.

Most enterprises setup VPN this way. They

separate the functions of VPN and firewall

into different devices.

my 2c

New Member

Re: ADvice on TACACS+


thanks for your input. The thing with ACS is i doubt we will be willing to spend the thousands on it. The 2nd solution seems more within budget (FREE) so i will test and see i post my findings back here

Thanks once again for your advice

New Member

Re: ADvice on TACACS+

hi guys

Ive set up the following 2nd vpn to allow a support user Remote Access to only one server. The VPN connects ok and assigns the right VPN but when I try to RDP from the support laptop to the server nothing happens. The access lists arent getting hit so Im lost as to why not. Ive also added a static route on the server back to the Remote pool using a different Gateway (as this is in a test environment at present). Any ideas?

IP POOL for Remote user

ip local pool RA_VPN_SUPPORT mask


access-list NONAT permit ip

For Split Tunnel -

access-list ACL_RA_VPN permit ip

ACL for RDP to server

access-list ACL_VPN_SUPPORT permit tcp host host eq 3389

access-list ACL_VPN_SUPPORT permit ip host any


crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET


isakmp key ******** address netmask

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400


vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT dns-server

vpngroup RA_VPN_SUPPORT default-domain

vpngroup RA_VPN_SUPPORT split-tunnel ACL_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT idle-time 1800

vpngroup RA_VPN_SUPPORT password ********


New Member

Re: ADvice on TACACS+

Greetings Soplandor,

This is possible, through ipsec conncection profiles. Within the ipsec connection profile realm you can set the IKE-Peer authentication to Pre-shared Key or Certificate based. Here you would choose also the user auth type which would be Tacacs in this case. You can also assign a separate dhcp pool for each group based on the membership of the vpn user. You can assign group policies to show a different login banner to each group and apply different filters that allow access to only the resources you want each group to have.

CreatePlease login to create content