Cisco Support Community

Remote Access VPN authentication with ACS 5.x using Radius Protocol




This document provides an example on how to configure Remote Access VPN on  ASA and do the authentication using ACS as Radius server


ACS  should have ASA added as a AAA client with correct secret key. Both  should be reachable. Please take up back up of ASA before adding any  configuration of the AAA.

Components Used

1. ASA 8.2

2. ACS 5.2 (as RADIUS)

Configuration Remote Access VPN on ASA

Interface configuration

hostname(config)# interface ethernet0
hostname(config-if)# ip address
hostname(config-if)# nameif outside
hostname(config)# no shutdown
hostname(config)# interface ethernet1
hostname(config-if)# ip address
hostname(config-if)# nameif inside
hostname(config)# no shutdown

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha 
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside

Configuring an Address Pool

hostname(config)# ip local pool testpool

Adding a User

hostname(config)# username testuser password 12345678

Creating a Transform Set

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

Creating a Tunnel group

hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

Creating a Dynamic crypto map

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSethostname(config)# crypto dynamic-map dyn1 1 set reverse-route

Creating a Crypto Map Entry to Use the Dynamic Crypto Map

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

Configuring Radius server on the ASA

ciscoasa(config)# aaa-server RADIUS protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server RADIUS (inside) host
ciscoasa(config-aaa-server-host)# key CISCO123
ciscoasa(config-aaa-server-host)# exit

Assigning RADIUS server under tunnel group

ciscoasa(config)#tunnel-group testgroup general-attributes
ciscoasa(config-tunnel-general)#authentication-server-group RADIUS

Adding ASA as a client on the ACS server

Add the ip address of the ASA on the ACS which is and shared secret key which is CISCO123:


Creating a rule in Default Network Access policy an identity store (means define whether users are internal to ACS or in external database)

2. Authorization policy:  (allowing permit or deny access)

Access policy.jpg


internal users.jpg


rule for permit access.jpg




Test with CLI:

You can use the test command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication RADIUS host
   username cisco password cisco123INFO: Attempting Authentication test to IP address <>
   (timeout: 12 seconds)
INFO: Authentication Successful


Run the following command to see the debugs:

  • #Debug Radius
  • #Debug aaa common 255

Scenario 2


ACS 5.5 secondary registration - Registration failed due to Invalid Certificate



When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
– If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.

Please post comments if there are any queries and rate if useful.