separating ASA webauth from ASA admin auth in CSACS
Just like the title says....
We use TACACS for admin authentication to our ASAs. I now want to use the webauth capability of the ASA to force a "captive portal" authentication against tacacs to get to various resources.
So I configured the webauth thing on the ASA and I can authenticate no problem....but I am not sure how to add people to TACACS that I want to be able to access the website via webauth but I do not want to be able to authenticate to the firewall.
Also how would I have the ASA authenticate groupA users to get to websiteA and authenticate groupBusers to get to websiteB while not having any of the groupB users get to websiteA and vice versa?
Re: separating ASA webauth from ASA admin auth in CSACS
"For your 1st issue you can use NAR's feature. In this you need to use IP based network access restriction. Here you deny access to ASA.
Now these users will not able to telnet, ssh or https to firewall but will be able to authenticate to portal. "
Won't they still be able to ssh to switches and things if I do this? If I am creating a Deny rule wouldnt I have to create one for every device I want them to not connect to? For example all of our switches and routers?
Is there a way to provide this access using a single permit rule? Denying every device individually does not scale well and I just tried a NAR to deny access from all devices on all ports and that didnt work...I was unable to authenticate then.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...