Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Force AAA uauth across L2L


Is it possible to force AAA uauth queries via attached users behind a router doing L2L with an ASA - where the ACS server is behind the ASA? This would be used to control Internet access for hosts behind the router - using split-tunnel and going out their own ISP for Internet. Sorry if this sounds a bit convoluted.

New Member

Re: Force AAA uauth across L2L

Yes, this is possible. I am not sure I am really following what you are authenticating, but it is possible to send AAA requests across an L2L. There is a known bug in 8.0 - 8.0(3) which prevents this. Make sure you are running 7.2x code or 8.0(4). In order for this to work, you will need to define your AAA servers, and make sure that they are in your ACL that defines your crypto map, so that the router or ASA knows where to send the request. Reply if you need a config example (and let me know if you need the ASA config or the router IOS config). Attaching your config(s) would be helpful, along with your AAA server information, so that I can just put in what changes need to be made.

*Please rate if helpful.

New Member

Re: Force AAA uauth across L2L

Hi Mike,

This is supposition for now. To clarify, a user behind the router opens a browser to surf the web. He is using the local ISP for Internet (split-tunnel). I want to have the ability to force him to authenticate before being allowed to access the Internet - otherwise anyone behind the router has open access to the Internet.

If you sya that's possible - then I can upload configs. for your assitance. Thanks.


Re: Force AAA uauth across L2L

assuming that your VPN is already working. Here

is how you do it on the router. Assuming that

F0/0 is the Internet facing interface on the

router and F0/1 is the "internal" facing

interface on the router. Also assume that the

AAA server is residing the ASA firewall:

ip tacacs-source interface F1/0

tacacs-server host x.x.x.x key 123456

that will allow the router to source AAA

traffics from interface F1/0 thus going across

the VPN tunnel.

Easy right?

CreatePlease to create content