Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn authentication

I have 2 tunnel-groups:

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool VPN_Pool

authorization-server-group LOCAL

authorization-server-group (inside) LOCAL

authorization-server-group (outside) LOCAL

default-group-policy test

authorization-required

tunnel-group test ipsec-attributes

pre-shared-key *

and

tunnel-group Users type ipsec-ra

tunnel-group Users general-attributes

address-pool VPN_Pool

default-group-policy Users

tunnel-group Users ipsec-attributes

pre-shared-key *

Usaers is the production vpn access group, it uses the LOCAL database for authentication and most important for this question - it is working well.

test as you can guess is a test group that was created back in the time that I configured ASA5505 for the first time. it is also working.

both groups use the same LACAL database BUT as you can see the Users group doesn't have anything to show it.

I have to change the authentication from LOCAL to RADIUS (which I've tested from that ASA and working fine). I want to start by testing the test group and if it's all good - apply on the Users group.

how should I do it?

how do I make RADIUS primary authentication source with fall back to the LOCAL if RADIUS is down?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: vpn authentication

You would go into your tunnel group settings and change the settings accordingly like this:

tunnel-group test general-attributes

authentication-server group LOCAL

This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.

7 REPLIES
Cisco Employee

Re: vpn authentication

You would go into your tunnel group settings and change the settings accordingly like this:

tunnel-group test general-attributes

authentication-server group LOCAL

This will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.

New Member

Re: vpn authentication

currently my LOCAL apply different privilege levels. when switching to IAS\AD will I still have a way to enforce different privilege levels?

Cisco Employee

Re: vpn authentication

Privilege as in privilege levels?

New Member

Re: vpn authentication

yes

1 for non-admin users who require vpn access only

15 for admin who require console management access in addition for their vpn access

Cisco Employee

Re: vpn authentication

OK, Privilege level is not read when using the vpn connection, and since the only thing you are changing of authentication method is the vpn client access and not the Console Access (SSH, TELNET CONSOLE...) you don't need to work the privilege levels at all, unless you do require that, in which case privilege levels will not be read as a normal IOS device, take a look at the following:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397

New Member

Re: vpn authentication

this is for v8.0(2) and later. I'm running ASA5505 v7

does all the above apply to PIX\ASA only or any switch? (3560, 2960 and older devices)?

Cisco Employee

Re: vpn authentication

This only applies for ASA/PIX devices and only for version 8.X 7.X does not have this features.

242
Views
0
Helpful
7
Replies