CSS 11503 SSL VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2009 06:48 AM
Trying to architect an SSL VPN solution using CSS 11503. Do I need a radius server to authenticate the client connections? If I have a tacacs server already built into the network, can I use that?
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2009 11:47 AM
Are you planning to use CSS as VPN concentrator? If yes then
CSS is not a SSL VPN Concentrator, Its only a SSL offloader/Load balancer.
You should look at ASA firewalls to use them as IPsec/SSL VPn concentrators.
If your question is about loadbalancing other SSL VPN concentrators then
your best bet would be to pass SSL VPN traffic as Layer 4 traffic to the concentrators.Lots of SSL VPN options like port forwarding & embedded URL re-writes are not supported.
By the way if you are using Cisco ASAs as VPn Concentrators then
you should know that ASAs support integrated 'VPN clustering' (inbuilt loadbalancing ).
HTH
Syed Iftekhar Ahmed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2009 11:55 AM
No, I'm not trying to use it as a VPN concentrator. I want to offload the client authentication to a radius server. Basically the CA certificate will be housed on the radius and not the CSS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2009 03:19 AM
if you want to do client authentication on the CSS for SSL traffic, you need to enable client cert authentication.
But that does not involved a radius server or a login/pwd.
What the CSS will do is request the client to send its certificate, we will then check it for valid root, valid time,...and CRL list if configured.
No radius or tacacs involved here.
Gilles.
