Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

tacacs+ vpn authorization

I am somewhat familiar with radius/tacacs authentication for VPNs on ASA firewalls(and somewhat on IOS router based VPN). What have been able to do using MS IAS radius is have radius return the group policy name for a given user based on group membership. What I am wondering is if the policy itself can be stored in MS IAS, or, more importantly, if the group name/parameters can be specificed using cisco TACACS+ instead of radius for vpn authentication/authorization.


Re: tacacs+ vpn authorization

This can only be achieved by using radius as the protocols since it is more flexible with the attributes you can use, if you had an ACS, then you would not need to define specific values as ACS has the specific VPN attributes needed for the external group authorization. There is an ldap vpn-3000 schema that you can import to your AD to define this specific vpn-3000 attriubutes that are used, but I am not sure that an external radius authorization setup would support other than Radius.

CreatePlease to create content