Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RADIUS Server VS LDAP/AD server for VPN AAA



I am in the process of setting up VPN for a client.  Trying to understand why one would use RADIUS for VPN AAA rather than LDAP/AD?

I am aware that most installs people prefer RADIUS over LDAP/AD, just trying to understand why as I know technically its possible to map LDAP attributes to ASA attributes.




Everyone's tags (6)

Hithis purely depends on


this purely depends on scenario where VPN AAA is imeplemented. If you have LDAP/AD by hand, you can use LDAP/AD method directly without need to have RADIUS as middle point.

RADIUS is generic authentication protocol widely used over many service-access-providing systems/devices. With RADIUS you can use various kind of user database - LDAP, AD, MySQL, other SQL database, system-local db of users, and so on - which means that RADIUS is more universal in use cases than just LDAP protocol.

Moreover RADIUS can provide you to define more restrictions (Authorization), other parameters and conditions options for all user databases (including LDAP/AD DB) which LDAP/AD couldn't provide directly. Another good thing with RADIUS is various options for authentication types (Authentication) (including non user/password authentication like SSL client certificate authentication (EAP-TLS), OTP (one time password) and many others for really very specific use cases.

And lastly - RADIUS is providing Accounting feature as well. This means that with RADIUS you can record when and for how long was particular user connected to your VPN service.

CreatePlease login to create content