I have found various articles that state completely different things about what can and cannot be done using Radius authentication on a PIX or ASA.
Can someone provide me with a definitive answer on what my options are or point me to a good whitepaper or 2?
Ideally I would like to have 2 groups of internal users 1 group would be able to VPN in and have view only access to my pix's and routers the second group would be able to vpn in and have admin rights to the pix's and routers, from what I have read this is possible.
I would like to have my admin users to have level 15 access when they login without having to enter a shared password or using their password a second time. I don't think having to enter your own password 2 times is so bad but how would I prevent veiw only users from being able to type "enable" and reenter their AD password to get admin rights.
After that turn on the command authorization on the PIX and router (mentioned at the below of the document). Make sure you have backdoor entry via local user account.
Once you have command set there, then go to each group and select the command set under tacacs+ settings ( pls refer the doc)
Also, there is no way out to jump directly to privilege exec mode (in case oof firewall). You have to type enable password before you jump on this mode #. However, this is possible in case of IOS ---router
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...