Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS 11503 SSL VPN

Trying to architect an SSL VPN solution using CSS 11503. Do I need a radius server to authenticate the client connections? If I have a tacacs server already built into the network, can I use that?

3 REPLIES

Re: CSS 11503 SSL VPN

Are you planning to use CSS as VPN concentrator? If yes then

CSS is not a SSL VPN Concentrator, Its only a SSL offloader/Load balancer.

You should look at ASA firewalls to use them as IPsec/SSL VPn concentrators.

If your question is about loadbalancing other SSL VPN concentrators then

your best bet would be to pass SSL VPN traffic as Layer 4 traffic to the concentrators.Lots of SSL VPN options like port forwarding & embedded URL re-writes are not supported.

By the way if you are using Cisco ASAs as VPn Concentrators then

you should know that ASAs support integrated 'VPN clustering' (inbuilt loadbalancing ).

HTH

Syed Iftekhar Ahmed

New Member

Re: CSS 11503 SSL VPN

No, I'm not trying to use it as a VPN concentrator. I want to offload the client authentication to a radius server. Basically the CA certificate will be housed on the radius and not the CSS.

Cisco Employee

Re: CSS 11503 SSL VPN

if you want to do client authentication on the CSS for SSL traffic, you need to enable client cert authentication.

But that does not involved a radius server or a login/pwd.

What the CSS will do is request the client to send its certificate, we will then check it for valid root, valid time,...and CRL list if configured.

No radius or tacacs involved here.

Gilles.

162
Views
0
Helpful
3
Replies
CreatePlease to create content