I think if you authorize exec and set use service 6 for administrators
and 6 for only vpn users it should work. If you look at the 8.2 docCD
in "Configuring Access Control" > "Configuring Management Access",
there is some information about this. Please post back if this worked
or not and any caveats as I am curious as well.
RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type
attribute which maps to one of the following values. (To map LDAP
attributes, see the "LDAP Attribute Mapping" section on page 36-15.)
–Service-Type 6 (Administrative)—Allows full access to any services
specified by the aaa authentication console commands.
–Service-Type 7 (NAS prompt)—Allows access to the CLI when you
configure the aaa authentication {telnet | ssh} console command, but
denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is
allowed. If you configure enable authentication with the aaa
authentication enable console command, the user cannot access
privileged EXEC mode using the enable command.
–Service-Type 5 (Outbound)—Denies management access. The user cannot
use any services specified by the aaa authentication console commands
(excluding the serial keyword; serial access is allowed). Remote
access (IPSec and SSL) users can still authenticate and terminate
their remote access sessions.
>
> ------------------------------
>
> Message: 3
> Date: Fri, 27 Nov 2009 16:27:02 +0000
> From: hughie CCIE <[email protected]>
> Subject: [OSL | CCIE_Security] radius auth of admin and vpn users
> To: [email protected]
> Message-ID:
> <[email protected]>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> Is it possible, without the use of an ACS server, to have admin users
> autheticate via RADIUS to manage an ASA and then use the same RADIUS server
> to authenticate VPN users. At the moment, in the lab, i am seeing the VPN
> users being able to login to the firewall which I dont want and the admin
> users can access the VPN which again I don't want. I can get the RADIUS
> Server to send back attributes but how do i get the ASA to acknowledge them
> and then grant or disallow access (some form of authorization)?
>
> --
> Regards
> Hughie
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://onlinestudylist.com/pipermail/ccie_security/attachments/20091127/1e4c20b7/attachment-0001.htm
>
> End of CCIE_Security Digest, Vol 41, Issue 80
> *********************************************
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
