Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Radius authentication for console and vpn users

Hi,

I have a little problem...

I'm doing authentication on an ASA with Radius (auth.-ing against AD) for both console management authentication and remote access vpn users.

I can distinguish between different tunnel groups with the group-lock command and assign different groups to different tunnel groups.

The problem is that all vpn user groups can login with SSH or ASDM for management becouse there is no "group-lock"-like way to separate them.

Maybe you'll say - use a different Radius server for this purpose but it's not really a scalable solution and I'd rather not use it.

Thanks.

BR,

Gabriel Gearip

6 REPLIES
New Member

Re: Radius authentication for console and vpn users

You can distinguish by editing attributes on Radius server (Radius policies in IAS).

VPN users: Framed-protocol

SSH: login (I'm not sure)

Peter

New Member

Re: Radius authentication for console and vpn users

That didn't work...

Users can login trough SSH with both framed and login service-type attributes set.

New Member

Re: Radius authentication for console and vpn users

Using the adsm management tool, go to Configuration tab, Device management, Management access and exclude the address of the vpn users from management access.

New Member

Re: Radius authentication for console and vpn users

Hi,

The thing is that I myself administer the ASA trough VPN so I cannot exclude the VPN pool for management.

Thanks.

BR,

Gabriel Gearip

New Member

Re: Radius authentication for console and vpn users

I guess I'll just use local users for management.

I can't believe though that there isn't any mechanism of distiguishing between the radius groups for local management...

Thanks.

Gabi.

New Member

Re: Radius authentication for console and vpn users

You could define a new aaa server group for management authentication and source it from the management interface and let you vpn users aaa authentication server group originate from an inside interface. Then on your radius server you could distinguish which group is trying to connect by ip address.

193
Views
0
Helpful
6
Replies
CreatePlease to create content