Cisco ASA Radius multi-level authentication question

[boloughlin]

Hi. I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for adminstrator access to the ASA. When I turn it on though, anyone that can authenticate for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users. Any ideas on overcoming this issue are appreciated.

 

[ADB100]

You need to modify the RADIUS Server configuration. I assume at the moment the policy on the RADIUS server is pretty simple, you need to be more granular with the policy.
I use MS IAS and have a Cisco Terminal Access policy as well as a VPN Access Policy, the policy conditions are different for each. My VPN policy checks for the Windows Group the user is a member of as well as the 'Service-Type=Framed' and the 'Authentication Type=MS-CHAP v1 OR MS-CHAP v1 CPW OR MS-CHAP v2 or MS-CHAP v2 CPW'. My Cisco Terminal policy checks for a Windows Group & 'Authentication-Type=PAP'

I worked a lot of this out by debugging and sniffing the RADIUS messages.

Good luck

Andy