Showing results for 
Search instead for 
Did you mean: 

CCA with ASA VPN Support

Hello -

I have been working on a lab set up that I would like to be able to show to potential customers for NAC Appliance (or CCA). I had no problems when using NAC in L3 OOB as might be deployed in a routed LAN type of setting, but I am having a horrible time getting it to work L3-IB with VPN/SSO even though I am trying my best to go by the documentation:

I find a few very confusing things about this document, and am suspecting that is where my trouble lies:

1) There is no mention of the RADIUS set up on this document other than to say "set it up". So I am wondering...

a) What version of ACS do I need? (3.3 currently).

b) Which RADIUS Service (IOS? IETF?)

c) What is the IP of the RADIUS server in that document? I see two addresses: and To make matters worse, there are discrepancies in the config of the ASA in that document which conflict with the screen shots.

Any help anyone can provide would be great.


Jason Bomar, CCIE #9316

Cisco Employee

Re: CCA with ASA VPN Support

Hi James -

Thanks for configuring NAC Appliance. We definitely want for you to be successful.

Let's see if I can help.

1a - 3.3 should work

1b - CAM will be added as IETF radius type for user authentication

1b - CAS will be added as IETF radius type for radius accouting

1c - Wherever you see the multiple addresses for ACS, just use the one ACS server address that you have

Let us know how these changes help.



Re: CCA with ASA VPN Support

Just so I understand, because this differs from the document I linked a fair amount ... the ASA (Concentrator) should AAA Auth to the CAM (which will pass it through to the ACS 3.3 as IETF) and should AAA Account to the CAS (which will pass it through to the ACS as IETF which will use it to SSO to the network) ... is that right? So the ASA does not require to point to the ACS directly?


Re: CCA with ASA VPN Support

Still does not seem to be working, here are some snippets to show what I am doing...

ASA (Concentrator -

aaa-server authgroup host (CAM)

authentication-port 1812

aaa-server CAS_Accounting protocol radius

aaa-server CAS_Accounting host (CAS)

authentication-port 1812

accounting-port 1813

tunnel-group vpngroup general-attributes

authentication-server-group authgroup

accounting-server-group CAS_Accounting

RADIUS Auth set up (CAM

Server Name: (ACS 3.3)

Server Port: 1812

NAS-Identifier: (CAM)


RADIUS Acct set up (CAS

VPN Concentrator: (ASA-Inside)

RADIUS Accounting Server: (CAS)

RADIUS Accounting Port: 1813

Accounting Mapping: ASA-Inside to CAS port 1813

Does this sound right? When I try and connect, my VPN does not authenticate. Prior to this, I was configured to have the ASA talk directly to the ACS as a RADIUS authentication server (CAS was always the Accounting Server).