Showing results for 
Search instead for 
Did you mean: 

Radius Authentication on Firewall Using ASDM/CLI for webvpn clients.


Radius Authentication on Firewall Using ASDM/CLI for webvpn clients.


Complete these steps in the ASDM in order to configure the ASA to  communicate with the radius server and authenticate WebVPN clients.

  1. Choose Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.
  2. Click Add next to AAA Server Groups.
  3. In the window that appears, specify a name for the new AAA Server group and choose RADIUS as the protocol. Click OK when finished.

  1. Be sure that your new group is selected in the top pane and click Add to the right of the lower pane.
  2. Provide the server information:
  • Interface Name—the interface that the ASA must use to reach the radius server
  • Server Name or IP address—the address that the ASA must use to reach the radius server
  • Server Secret Key—the shared secret key configured for the ASA on the radius server

Example AAA Server Configuration on the ASA

  1. Once you have configured the AAA server group and server, navigate  to Configuration > Remote Access VPN > Clientless SSL VPN Access  > Connection Profiles in order to configure WebVPN to use the new AAA  configuration.

Note: Even though this example uses WebVPN, you can set any remote access connection profile (tunnel group) to use this AAA setup.

  1. Choose the profile for which you want to configure AAA, and click Edit.
  2. Under Authentication choose the RADIUS server group that you created earlier. Click OK when finished.

Command Line Interface

Complete these steps in the command line interface (CLI) in order to  configure the ASA to communicate with the ACS server and authenticate  WebVPN clients.

ciscoasa#configure terminal 
 !--- Configure the AAA Server group.

ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
 !--- Configure the AAA Server.

ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host
ciscoasa(config-aaa-server-host)# key secretkey
ciscoasa(config-aaa-server-host)# exit
 !--- Configure the tunnel group to use the new AAA setup.

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group RAD_SRV_GRP


Use this section in order to confirm that your configuration works properly.

Test with ASDM

Verify your RADIUS configuration with the Test button on the AAA Server Groups configuration screen. Once you supply a  username and password, this button allows you to send a test  authentication request to the radius server.

  1. Choose Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.
  2. Select your desired AAA Server group in the top pane.
  3. Select the AAA server that you want to test in the lower pane.
  4. Click the Test button to the right of the lower pane.
  5. In the window that appears, click the Authentication radio button, and supply the credentials with which you want to test. Click OK when finished.

After the ASA contacts the AAA server, a success or failure message appears.

Test with CLI

You can use the test command on the command line in  order to test your AAA setup. A test request is sent to the AAA server,  and the result appears on the command line.

ciscoasa#test aaa-server authentication RAD_SVR_GRP host username kate password cisco123

INFO: Attempting Authentication test to IP address <> (timeout: 12 seconds)
INFO: Authentication Successful


Hi Minkumar,

Thanks for this post! This is the the lab I wanna setup, but I am a little lost on how to configure this kind of setup.

Can I integrate this RADIUS setup using my existing Microsoft AD?

May I ask if you have links and other resources on configuring my Microsoft AD?

Hope to hear from you soon!



Content for Community-Ad