AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

Unanswered Question
Apr 25th, 2008
User Badges:


I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.

Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.

The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.

I can ping the IP address of the ACS Server (which located at the remote site, IP addr: from the ASA:

ping inside

However when I configure the ASA for the AAA group with commands:

aaa-server ACSAuth protocol radius

aaa-server ACSAuth host (inside) key AcsSecret123

Then when I do the show run, here is the result:

aaa-server ACSAuth protocol radius

aaa-server host

key AcsSecret123

From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel

(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.

Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?

Your help will be really appreciated!


Best Regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bwilmoth Fri, 05/02/2008 - 06:12
User Badges:
  • Silver, 250 points or more

AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.

acomiskey Fri, 05/02/2008 - 10:07
User Badges:
  • Green, 3000 points or more

Amazing that a bot has a bronze star!


This Discussion