And it does not work. The concentratrator (3005) is configured so that our Cisco VPN client users authenticate against ACS, and this works just fine. What doesn't work, is when I try to set the concentrator up so that people logging into to the concentrator to adminster it, get authenticated against ACS, instead of the local acount DB. The sample config seems to specify that there has to be local account on the concentrator called admin, with admin rights. This doesn't make much sense, as the whole point of ACS is to use it's account DB (usernames/passwords), for authentication, no the local DB.
Re: VPN 3005 + ACS 3.0 for Authentication/Administration purpose
The reason why you need check "admin" in the 3000 concentrator, is no using it as a username to pass the authentication.
Just make sure "AAA Access Level" 15 is configed correct.
It function like a group , it need to be matching in the TACACS server group settings. in the example it matches TACACS server group 2 "previlege level 15".
The username in the TACACS server can be anything. "Jack", "Tom", not necessary to be "admin". As far as you put all the users into "Group2" which configed "previlege level " 15, it will be working fine.
I guess, using "admin" as username configed in the TACACS+ server is a little bit confusing here.
I have put our discussion into the feedback for this URL on CCO.
I belive our technical witer will improve it better and reduce the confusion.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...