Remote Access VPN authentication through RADIUS

Unanswered Question
Nov 6th, 2008
User Badges:


I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.

Server configuration:

1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).

2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.

3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.

4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.

On the Dial-in tab, select the option for Allow access

ASA configuration:

aaa-server vpn protocol radius

aaa-server vpn host (RADIUS server IP )

key cisco321

tunnel-group vpnacc type ipsec-ra

tunnel-group vpnacc general-attributes

authentication-server-group vpn

but it is not working. Please guide to resolve this issue.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading. Thu, 11/06/2008 - 07:00
User Badges:
  • Silver, 250 points or more


Did you add the asa to the list of nas in RADIUS server?


craig.eyre Mon, 11/10/2008 - 10:18
User Badges:


Are you using a Cisco Secure ACS for your radius authentication?


craig.eyre Wed, 11/12/2008 - 08:02
User Badges:

I assume by your answer of Windows 2003 that you are using the ISA server for Radius authentication then?


mike.keller@hun... Thu, 11/13/2008 - 10:17
User Badges:

You dont say which version of ASA code you are running, but I dont see your specification of interface on your aaa statement. Wouldnt it look something like:

aaa-server vpn (INSIDE) host x.x.x.x key xxxxxxx?

That is how mine look on 8.0(4)

mike.keller@hun... Thu, 11/13/2008 - 10:25
User Badges:

Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"

Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.


This Discussion