Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to lock pix groups to TACACS groups

I have a Pix V7 together with a TACACS to Authenticate.

This TACACS is also Autenticating two ISDN RAS Concetrators.

Bevore I updated the pix to V7 the autentication was perfect.

Now after update i found that also Users of other TACACS groups can login on the pix.

I tried group lock in the group policies, but it didn't change anything.


Re: How to lock pix groups to TACACS groups

What kind of TACACS do you have???? If u have Cisco ACS it could be done with NAR. Select group for which you want disable access to pix, edit and in the field Network Access Restrictions (NAR) define IP-based access restriction select denied/calling point of access restriction and list, there select your pix and for address and port type * * (all)



Re: How to lock pix groups to TACACS groups

Thank you...this helps to limit the group to a NAS.

But I have still a problem.

I have two VPN-Groups defined on the pix.

Both are using the same IP-pool.

One is allowing split tunnel, the otherone not.

I want to lock users into one of those groups.

Before I updated the pix this was working fine. Now in V7 the pix group does not have to match to the TACACS group anymore.

I tried to use:

group-policy SoftClient attributes

group-lock value SoftClient

But this doesn't help too.

CreatePlease to create content