More than 1 AAA server for logging in to WebVPN

nitass · ‎03-31-2006

Hi everybody,

Does anyone know if ASA supports simultaneous authentication more than 1 AAA server? I've created LDAP and SecurID token account for every users and want them provide both account information for logging in to WebVPN.

Please advice.

Thanks for advance,

Nitass

sbilgi · ‎04-06-2006

If you are aaa server you are referring to is "radius server", then you can try out the following commands.

In ASDM you would simply add the said RADIUS servers to the "server group"

If you wish to do this through CLI, you would define a group eg

aaa-server radius protocol radius

aaa-server radius host x.x.x.x

aaa-server radius host y.y.y.y

aaa-server radius host z.z.z.z

and you would then call this in the said tunnel-group :

tunnel-group opsource type ipsec-ra

tunnel-group opsource general-attributes

address-pool admin_ra

authentication-server-group radius LOCAL

default-group-policy opsource

nitass · ‎04-06-2006

Thanks for reply. As you configured, which radius server does ASA authenticate to when WebVPN users try to login?

I want the ASA authenticate to more than 1 AAA server e.g. host x.x.x.x and y.y.y.y that they have different credential information in the same time. That means WebVPN user has to fill 4 credentials information e.g. host x user and password, host y user and password in the login page. Is it possible?

Please advice.

Thanks,

Nitass