Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
7
Replies

vpn authentication

Go to solution
ofir
Level 1
Level 1

‎02-25-2009 09:02 AM

I have 2 tunnel-groups:

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool VPN_Pool

authorization-server-group LOCAL

authorization-server-group (inside) LOCAL

authorization-server-group (outside) LOCAL

default-group-policy test

authorization-required

tunnel-group test ipsec-attributes

pre-shared-key *

and

tunnel-group Users type ipsec-ra

tunnel-group Users general-attributes

address-pool VPN_Pool

default-group-policy Users

tunnel-group Users ipsec-attributes

pre-shared-key *

Usaers is the production vpn access group, it uses the LOCAL database for authentication and most important for this question - it is working well.

test as you can guess is a test group that was created back in the time that I configured ASA5505 for the first time. it is also working.

both groups use the same LACAL database BUT as you can see the Users group doesn't have anything to show it.

I have to change the authentication from LOCAL to RADIUS (which I've tested from that ASA and working fine). I want to start by testing the test group and if it's all good - apply on the Users group.

how should I do it?

how do I make RADIUS primary authentication source with fall back to the LOCAL if RADIUS is down?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7

‎02-26-2009 08:44 AM

You would go into your tunnel group settings and change the settings accordingly like this:

tunnel-group test general-attributes

authentication-server group LOCAL

This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Ivan Martinon
Level 7
Level 7

‎02-26-2009 08:44 AM

You would go into your tunnel group settings and change the settings accordingly like this:

tunnel-group test general-attributes

authentication-server group LOCAL

This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.

0 Helpful

Go to solution
ofir
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 09:06 AM

currently my LOCAL apply different privilege levels. when switching to IAS\AD will I still have a way to enforce different privilege levels?

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to ofir

‎02-26-2009 09:16 AM

Privilege as in privilege levels?

0 Helpful

Go to solution
ofir
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 09:18 AM

yes

1 for non-admin users who require vpn access only

15 for admin who require console management access in addition for their vpn access

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to ofir

‎02-26-2009 09:22 AM

OK, Privilege level is not read when using the vpn connection, and since the only thing you are changing of authentication method is the vpn client access and not the Console Access (SSH, TELNET CONSOLE...) you don't need to work the privilege levels at all, unless you do require that, in which case privilege levels will not be read as a normal IOS device, take a look at the following:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397

0 Helpful

Go to solution
ofir
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 09:30 AM

this is for v8.0(2) and later. I'm running ASA5505 v7

does all the above apply to PIX\ASA only or any switch? (3560, 2960 and older devices)?

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to ofir

‎02-26-2009 09:38 AM

This only applies for ASA/PIX devices and only for version 8.X 7.X does not have this features.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents