Centralized authentication through insecure net, ASA

Unanswered Question
Oct 4th, 2011
User Badges:

Hi all,

I'm looking for some ideas, products e.g. that can help me to achieve the following scenario:

- We have several customers with Cisco ASA

- We want to provide our IT-Engineer staff a remote vpn access to each customer site

- We need a centraliced AAA for the enginer vpn-authentication (TACAC+, RADIUS e.g.)

- The centralized authentication server should be on our site. So each ASA (customer site) has to do the authentication

   through the insecure internet to our AAA server

- Site-to-site is not an option (several customer sites have the same IP-range)

Any ideas?

Thanks a lot,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 10/04/2011 - 12:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I would look at using certificates for this. So each customer ASA uses your centralised certificate server for authentication.

You can use something like Microsoft CA server to act as the certificate server.

There are plenty of docs on Cisco site for using certificates both with the VPN client and the ASA.


alig.norbert Fri, 10/07/2011 - 14:03
User Badges:

Thanks Jon

That would be an option. How about Kerberos, LDAPS?


This Discussion