Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Remote Users - Local and Radius together

Hello,

 

I am looking for assistance on adding a radius config. for vpn user authentication. Currently, using local db and would like to

add use windows A/D radius and keep the local auth. also for some users.

This is for a 5505.

 

 

THank You

 

2 REPLIES
Cisco Employee

Hi ,Radius configuration for

Hi ,

Radius configuration for VPN user authentication is as follows:-

ciscoasa(config)# aaa-server <server_group_name> protocol RADIUS
ciscoasa(config)# exit
ciscoasa(config)# aaa-server <server_group_name> (interface) host <IP address of the server>
ciscoasa(config-aaa-server-host)# key <secret key>

Configure the tunnel group to use the new AAA setup.

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group <server_group_name>

You can follow this link to configure ASA to use radius for vpn user authentication.
For local database authentication , you can configure the connection profiles and have this command :-

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group local
(This is default parameter for connection profiles)

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Employee

Hi Geraldchow1,For the same

Hi Geraldchow1,

For the same tunnel-group, you can't authenticate users from radius database (integrated with AD) and local users (created on the ASA db) at the sametime. In the below listed command you would see a LOCAL keyword at the end of the command 

ciscoasa(config)# tunnel-group <tunnel-group-name> general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group RAD_SRV_GRP LOCAL

where
RAD_SRV_GRP is server group Identifies the already configured authentication server or group of servers.


LOCAL is a keyword that is case sensitive and Requires authentication against the local user database if all of the servers in the server group have been deactivated due to communication failures. 

 

Regards,

Jatin Katyal

** Do rate helpful posts **

~BR Jatin Katyal **Do rate helpful posts**
42
Views
0
Helpful
2
Replies
CreatePlease login to create content