Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

RADIUS on ASA

I have RADIUS authentication to an external RADIUS server setup for my Cisco ASA.

However I would like to differentiate between VPN login users and SSH, ASDM users etc.

At present radius allows either type of users access to any service.

But in reality I would like a restricted VPN list to access the Client VPN and another even more restricted list to access SSH and ASDM services.

I thought it would be a radius attribute perhaps but i'm not sure.

4 REPLIES
Bronze

Re: RADIUS on ASA

Hi, you have to enable group-lock in VPN configuration at ASA. And make the RADIUS returno the name of vpn group policy of the user with the attribute called Radius-Class.

My suggestion is, returning any non existing name in the group that should connect to SSH or Telnet

New Member

Re: RADIUS on ASA

Thanks for the post.

I'm still not sure how to get this working? And there must be a simple way?

I can't be the only person who has ever wanted to use RADIUS for both SSH and VPN logons?

Thanks.

New Member

Re: RADIUS on ASA

Sorry for resurrecting such an old thread, but did you ever find a way to do this?  I'm running into the exact same  situation and would love to know if/how you got it working.

Thanks  in advance!

Silver

Re: RADIUS on ASA

I would use two radius servers. One for users and the other for device management. That way, any configuration mistakes do not expose your devices. I would only use the same server if i am using different protocols( tacacs for devices and radius for users).

Thanks

John

472
Views
4
Helpful
4
Replies
CreatePlease to create content