Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to use tacacs+ authentication to assign a group policy at login in Cisco ASA

Hi everyone

 

As title, anyone knows how it works?

I only found it can work with LDAP authentication, but not in TACACS+

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp

 

please give me a hand, thanks.

  • VPN
2 REPLIES
VIP Purple

If you want to use external

If you want to use external authorization but not LDAP, then you should use RADIUS. There you can send the "class" attribute (#25) to the ASA which is the group-policy that should be assigned. I'm not aware of any way to achieve this through TACACS+.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi Karten,I have the similar

Hi Karten,

I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.

I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.

I am not sure what could be the issue and appreciate if you can advise.

thanks in advance.

173
Views
0
Helpful
2
Replies