The following is the list of best practices to implement for the seamless functioning of AAA implementation on the VPN 3000 series Concentrator:
If TACACS+ is implemented on the VPN 3000 Concentrator for administration purposes, be sure that you can console into the VPN 3000 Concentrator with the admin user name and password. This is important because it is the only fallback method available if the TACACS+ server is down, or either the VPN 3000 Concentrator or CS ACS is misconfigured.
Increase the session timeout while configuring TACACS+ for GUI administration authentication. Also, be sure not to close the current session without making sure the authentication works with the Authentication server Test button. It is also highly recommended to open another browser session to perform the login and make sure everything works as expected before closing the current session.
Use HTTPS (secure HTTPS) instead of HTTP for management purposes.
Restrict who can access the VPN 3000 Concentrator. By default everything is allowed. To restrict access to specific hosts or networks, go to the Administration > Access Rights > Access Control List Screen and define the host or network address with a mask. Also select the Group name of the admin who can access the VPN 3000 Concentrator from the specific host or network defined in this step.