vpn authentication

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

vpn authentication

Post by Guest » Tue Jan 11, 2011 3:36 pm


I have 2 tunnel-groups:tunnel-group test type ipsec-ratunnel-group test general-attributes address-pool VPN_Pool authorization-server-group LOCAL authorization-server-group (inside) LOCAL authorization-server-group (outside) LOCAL default-group-policy test authorization-requiredtunnel-group test ipsec-attributes pre-shared-key *andtunnel-group Users type ipsec-ratunnel-group Users general-attributes address-pool VPN_Pool default-group-policy Userstunnel-group Users ipsec-attributes pre-shared-key *Usaers is the production vpn access group, it uses the LOCAL database for authentication and most important for this question - it is working well.test as you can guess is a test group that was created back in the time that I configured ASA5505 for the first time. it is also working.both groups use the same LACAL database BUT as you can see the Users group doesn't have anything to show it.I have to change the authentication from LOCAL to RADIUS (which I've tested from that ASA and working fine). I want to start by testing the test group and if it's all good - apply on the Users group.how should I do it?how do I make RADIUS primary authentication source with fall back to the LOCAL if RADIUS is down?

Guest

Re:vpn authentication

Post by Guest » Tue Jan 11, 2011 4:13 pm


You would go into your tunnel group settings and change the settings accordingly like this:tunnel-group test general-attributesauthentication-server group <radius srvr name> LOCALThis will cause the tunnel group to use Radius first and Local if Radis fails. Note you might want to remove the authorization part of your setup.

Guest

Re:vpn authentication

Post by Guest » Tue Jan 11, 2011 5:24 pm


currently my LOCAL apply different privilege levels. when switching to IASAD will I still have a way to enforce different privilege levels?

Guest

Re:vpn authentication

Post by Guest » Tue Jan 11, 2011 6:17 pm


Privilege as in privilege levels?

Guest

Re:vpn authentication

Post by Guest » Tue Jan 11, 2011 6:35 pm


yes1 for non-admin users who require vpn access only15 for admin who require console management access in addition for their vpn access

Post Reply