AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

johannesangkasa · ‎04-25-2008

Hi,

I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.

Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.

The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.

I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:

ping inside 10.10.10.56

However when I configure the ASA for the AAA group with commands:

aaa-server ACSAuth protocol radius

aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123

Then when I do the show run, here is the result:

aaa-server ACSAuth protocol radius

aaa-server host 10.10.10.56

key AcsSecret123

From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel

(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.

Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?

Your help will be really appreciated!

Thanks.

Best Regards,

Jo

bwilmoth · ‎05-02-2008

AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

acomiskey · ‎05-02-2008

Amazing that a bot has a bronze star!