Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Different auth behaviour dependant on the interface

Is there a way of enforcing different auth behaviour dependant on the interface involved on the NAS?

NAS in question ASA firewall pointing AAA to ACS 5.1

The ASA has SSL VPN connections to Inside and Outside interfaces and config needs:-

     - any SSL VPN connection to outside interface to trigger two factor auth through ACS

     - any SSL VPN connection to inside interface to use normal auth to ACS

i.e. if user connects to inside interface only normal username/password required but if user connects to outside interface username/password+token required

Sez

Everyone's tags (4)
1 REPLY
Cisco Employee

Re: Different auth behaviour dependant on the interface

No, not possible if you are using the same ACS server. If you are using 2 different ACS there might be a possibility with configuring 2 different SSL group and request the users to actually log in to 2 different group, ie: if user connects from outside, ask them to connect to SSL VPN group A, and if user connects from inside, ask them to connect to SSL VPN group B. However, that would require 2 separate ACS servers, or you can use 2 factor authentication using ACS server, and internally connect SSL VPN using the ASA local database to authenticate the user.

Well, i guess it also depends on how many users you have and whether it's possible to administer that.

288
Views
0
Helpful
1
Replies
CreatePlease to create content