Also on this, I think you have to use the following command. aaa authorization exec authentication-server
I just tried it using local database and "remote-access" and "admin". This seemed to make it pay attention to the service type. On Fri, Nov 27, 2009 at 8:58 PM, Paul Stewart <[email protected]> wrote: > I think if you authorize exec and set use service 6 for administrators > and 6 for only vpn users it should work. If you look at the 8.2 docCD > in "Configuring Access Control" > "Configuring Management Access", > there is some information about this. Please post back if this worked > or not and any caveats as I am curious as well. > > RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type > attribute which maps to one of the following values. (To map LDAP > attributes, see the "LDAP Attribute Mapping" section on page 36-15.) > > –Service-Type 6 (Administrative)—Allows full access to any services > specified by the aaa authentication console commands. > > –Service-Type 7 (NAS prompt)—Allows access to the CLI when you > configure the aaa authentication {telnet | ssh} console command, but > denies ASDM configuration access if you configure the aaa > authentication http console command. ASDM monitoring access is > allowed. If you configure enable authentication with the aaa > authentication enable console command, the user cannot access > privileged EXEC mode using the enable command. > > –Service-Type 5 (Outbound)—Denies management access. The user cannot > use any services specified by the aaa authentication console commands > (excluding the serial keyword; serial access is allowed). Remote > access (IPSec and SSL) users can still authenticate and terminate > their remote access sessions. > >> >> ------------------------------ >> >> Message: 3 >> Date: Fri, 27 Nov 2009 16:27:02 +0000 >> From: hughie CCIE <[email protected]> >> Subject: [OSL | CCIE_Security] radius auth of admin and vpn users >> To: [email protected] >> Message-ID: >> <[email protected]> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Hi, >> >> Is it possible, without the use of an ACS server, to have admin users >> autheticate via RADIUS to manage an ASA and then use the same RADIUS server >> to authenticate VPN users. At the moment, in the lab, i am seeing the VPN >> users being able to login to the firewall which I dont want and the admin >> users can access the VPN which again I don't want. I can get the RADIUS >> Server to send back attributes but how do i get the ASA to acknowledge them >> and then grant or disallow access (some form of authorization)? >> >> -- >> Regards >> Hughie >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> http://onlinestudylist.com/pipermail/ccie_security/attachments/20091127/1e4c20b7/attachment-0001.htm >> >> End of CCIE_Security Digest, Vol 41, Issue 80 >> ********************************************* > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
