Centralized authentication through insecure net, ASA

Unanswered Question
Oct 4th, 2011

Hi all,

I'm looking for some ideas, products e.g. that can help me to achieve the following scenario:

- We have several customers with Cisco ASA

- We want to provide our IT-Engineer staff a remote vpn access to each customer site

- We need a centraliced AAA for the enginer vpn-authentication (TACAC+, RADIUS e.g.)

- The centralized authentication server should be on our site. So each ASA (customer site) has to do the authentication

   through the insecure internet to our AAA server

- Site-to-site is not an option (several customer sites have the same IP-range)

Any ideas?

Thanks a lot,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 10/04/2011 - 12:19


I would look at using certificates for this. So each customer ASA uses your centralised certificate server for authentication.

You can use something like Microsoft CA server to act as the certificate server.

There are plenty of docs on Cisco site for using certificates both with the VPN client and the ASA.



This Discussion