[c-nsp] ASA equiv to aaa login local group blah
Jason Lixfeld
jason at lixfeld.ca
Wed Nov 20 14:13:47 EST 2013
I'm trying to do a quick and dirty add to a 9.1(3) ASA running WebVPN to allow a contractor in without having to create them an account on our main directory server. In IOS land, I could specify local auth before a server group and it would work fine. It seems that in ASA land you can only specify local auth after a server group fails.
I tried to create a specific group policy for the user, but it doesn't seem to wanna work.
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL
gateway-fqdn value foo.bar.com
address-pools value SSLVPN
group-policy LocalAuthOnly internal
group-policy LocalAuthOnly attributes
group-lock value LocalAuthOnly
username contractor password mEkEo2tG2a/HS2Ah encrypted
username contractor attributes
vpn-group-policy LocalAuthOnly
group-lock value LocalAuthOnly
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-group CORPRADIUS LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group CORPRADIUS LOCAL
tunnel-group LocalAuthOnly type remote-access
tunnel-group LocalAuthOnly general-attributes
default-group-policy LocalAuthOnly
!
Is there another way that I'm missing?
Thanks in advance.
More information about the cisco-nsp
mailing list