ASA 5505 ezVPN client Individual User Authentication

Unanswered Question
Jul 15th, 2010

I am trying to enable individual user authentication between a small office (ASA 5505 client) and my HQ (ASA 5540 server).  The VPN establishes, Hosts listed under the mac-exempt work without trouble.  When I connect my laptop, using a brower, I get to the 5505 web page asking for a username and password.  The 5505 logs show attempts to communicate to a radius server.  The logs show the radius server to be my HQ VPN peer IP address.  Why???  I have configurated 2 radius and tacacs servers.  Why is the client trying to send radius requests to the HQ peer?

Below are sections of my configurations

5505 (client)

vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup <username> password *****
vpnclient username <username> password *****
vpnclient mac-exempt 0023.xxxx.13c0 ffff.ffff.ffff
vpnclient management tunnel
vpnclient enable

aaa authentication enable console tacacs LOCAL
aaa authentication serial console tacacs LOCAL
aaa authentication ssh console tacacs LOCAL
aaa authentication telnet console tacacs LOCAL
aaa authentication http console radius

aaa-server tacacs protocol tacacs+
reactivation-mode timed
aaa-server tacacs (nga_training_room) host
aaa-server tacacs (nga_training_room) host
aaa-server radius protocol radius
reactivation-mode timed
aaa-server radius (nga_training_room) host
aaa-server radius (nga_training_room) host

5540 (server)

group-policy <group name> attributes
dns-server value
vpn-idle-timeout 1440
vpn-session-timeout 2880
vpn-tunnel-protocol IPSec
password-storage enable
group-lock value <tunnel group name>
default-domain value
user-authentication enable
ip-phone-bypass enable
nem enable

Suggestions for how to make IUA (individual user authentication) work?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion