Unanswered Question
Mar 2nd, 2009
User Badges:

Trying to architect an SSL VPN solution using CSS 11503. Do I need a radius server to authenticate the client connections? If I have a tacacs server already built into the network, can I use that?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Mon, 03/02/2009 - 11:47
User Badges:
  • Blue, 1500 points or more

Are you planning to use CSS as VPN concentrator? If yes then

CSS is not a SSL VPN Concentrator, Its only a SSL offloader/Load balancer.

You should look at ASA firewalls to use them as IPsec/SSL VPn concentrators.

If your question is about loadbalancing other SSL VPN concentrators then

your best bet would be to pass SSL VPN traffic as Layer 4 traffic to the concentrators.Lots of SSL VPN options like port forwarding & embedded URL re-writes are not supported.

By the way if you are using Cisco ASAs as VPn Concentrators then

you should know that ASAs support integrated 'VPN clustering' (inbuilt loadbalancing ).


Syed Iftekhar Ahmed

cdunmoodie Mon, 03/02/2009 - 11:55
User Badges:

No, I'm not trying to use it as a VPN concentrator. I want to offload the client authentication to a radius server. Basically the CA certificate will be housed on the radius and not the CSS.

Gilles Dufour Tue, 03/03/2009 - 03:19
User Badges:
  • Cisco Employee,

if you want to do client authentication on the CSS for SSL traffic, you need to enable client cert authentication.

But that does not involved a radius server or a login/pwd.

What the CSS will do is request the client to send its certificate, we will then check it for valid root, valid time,...and CRL list if configured.

No radius or tacacs involved here.



This Discussion