Force AAA uauth across L2L

Unanswered Question
Dec 18th, 2008
User Badges:


Is it possible to force AAA uauth queries via attached users behind a router doing L2L with an ASA - where the ACS server is behind the ASA? This would be used to control Internet access for hosts behind the router - using split-tunnel and going out their own ISP for Internet. Sorry if this sounds a bit convoluted.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Yes, this is possible. I am not sure I am really following what you are authenticating, but it is possible to send AAA requests across an L2L. There is a known bug in 8.0 - 8.0(3) which prevents this. Make sure you are running 7.2x code or 8.0(4). In order for this to work, you will need to define your AAA servers, and make sure that they are in your ACL that defines your crypto map, so that the router or ASA knows where to send the request. Reply if you need a config example (and let me know if you need the ASA config or the router IOS config). Attaching your config(s) would be helpful, along with your AAA server information, so that I can just put in what changes need to be made.

*Please rate if helpful.

iholdings Thu, 12/18/2008 - 09:59
User Badges:

Hi Mike,

This is supposition for now. To clarify, a user behind the router opens a browser to surf the web. He is using the local ISP for Internet (split-tunnel). I want to have the ability to force him to authenticate before being allowed to access the Internet - otherwise anyone behind the router has open access to the Internet.

If you sya that's possible - then I can upload configs. for your assitance. Thanks.

cisco24x7 Thu, 12/18/2008 - 11:14
User Badges:
  • Silver, 250 points or more

assuming that your VPN is already working. Here

is how you do it on the router. Assuming that

F0/0 is the Internet facing interface on the

router and F0/1 is the "internal" facing

interface on the router. Also assume that the

AAA server is residing the ASA firewall:

ip tacacs-source interface F1/0

tacacs-server host x.x.x.x key 123456

that will allow the router to source AAA

traffics from interface F1/0 thus going across

the VPN tunnel.

Easy right?


This Discussion