Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Radius authentication

We're using Cisco ACS as a radius server which uses active directory to authenticate users. All ssh logins to the ASA authenticate to that radius server.

We also use that Radius server for VPN authentication...the problem I'm having is that since we have to enable the dial-in property in AD to allow people to VPN, they are also able to SSh into the firewall, although since we also use command authorization they are not able to actually do anything. The VPN users group in radius is seperate form the network managment users group...is there a property or anything I can set to disable users in the VPN Users group from being able to login to the firewall?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Radius authentication

Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6

Hope that helps.

2 REPLIES

Re: Radius authentication

Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6

Hope that helps.

New Member

Re: Radius authentication

That worked perfectly, thanks!

102
Views
0
Helpful
2
Replies