SSL VPNs authentication to Microsoft IAS

Unanswered Question
Sep 2nd, 2010


I have an ASA5520.  Currently I have client VPNs coming into it.  They authenticate via RADIUS to a Microsoft IAS server.  The ASA has 2 licenses for SSL VPN.  I want them reserved for my IT staff.  I configured the AAA Server Group on it to point to the IAS server.  The way IAS works is you create access policies for users to authenticate to.  The first group they authenticate to is the one they use.  Does anyone know how to configure the ASA so I can have 2 different groups for authentication?  Do I need to go to LDAP?

Harrison Midkiff

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 09/03/2010 - 18:13

You can configure 2 AAA servers, and create 2 tunnel-groups and 2 group-policy, and basically you can assign AAA server 1 on tunnel-group 1, and AAA server 2 on tunnel-group 2.

Are you going to use 2 different authentication servers for 2 different users? ie: SSL VPN uses local authentication, and IPSec VPN uses radius/IAS server for authentication? I am just trying to understand what you are trying to achieve.

HMidkiff Tue, 09/07/2010 - 08:19


Thanks for replying to my post.

Basically I want users to log into VPN and SSL VPN based on group membership in AD.   If a user is a member of a group called "VPN Users" they would have access to login via the software VPN client.  If a user is a member of a group called "SSL VPN Users" they would have access to login via SSL.  A user could be a member of one or the other or both. When you use a RADIUS server its authentication is pretty simple.  You create access policies and as long as you are a member of one of them you will get authenticated.  That is the problem.  I could do 2 different RADIUS servers but that would tend to make things a little messy and hard to manage. 

Any suggestions you have would be greately appreciated.

Harrison Midkiff


This Discussion