[c-nsp] ASA equiv to aaa login local group blah

Erik Soosalu erik.soosalu at calyxinc.com
Wed Nov 20 14:53:51 EST 2013 

I only ever touch my ASA via ASDM, but what I've got is 

Connection Profile Default - AAA(local)
Connection Profile 123 -  AAA (radius)

And then the users chose the connection profile from the login page
(using tunnel-group-list enable).  In your case you could just reverse
that.


Thanks,
Erik 

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Jason Lixfeld
Sent: Wednesday, November 20, 2013 2:14 PM
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] ASA equiv to aaa login local group blah

I'm trying to do a quick and dirty add to a 9.1(3) ASA running WebVPN to
allow a contractor in without having to create them an account on our
main directory server.  In IOS land, I could specify local auth before a
server group and it would work fine.  It seems that in ASA land you can
only specify local auth after a server group fails.

I tried to create a specific group policy for the user, but it doesn't
seem to wanna work.

!
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITTUNNEL
 gateway-fqdn value foo.bar.com
 address-pools value SSLVPN
group-policy LocalAuthOnly internal
group-policy LocalAuthOnly attributes
 group-lock value LocalAuthOnly
username contractor password mEkEo2tG2a/HS2Ah encrypted
username contractor attributes
 vpn-group-policy LocalAuthOnly
 group-lock value LocalAuthOnly
 service-type remote-access
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group CORPRADIUS LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CORPRADIUS LOCAL
tunnel-group LocalAuthOnly type remote-access
tunnel-group LocalAuthOnly general-attributes
 default-group-policy LocalAuthOnly
!

Is there another way that I'm missing?

Thanks in advance.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list