ASDM
Complete these steps in the ASDM in order to configure the ASA to communicate with the radius server and authenticate WebVPN clients.
- Choose Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.
- Click Add next to AAA Server Groups.
- In the window that appears, specify a name for the new AAA Server group and choose RADIUS as the protocol. Click OK when finished.
- Be sure that your new group is selected in the top pane and click Add to the right of the lower pane.
- Provide the server information:
- Interface Name—the interface that the ASA must use to reach the radius server
- Server Name or IP address—the address that the ASA must use to reach the radius server
- Server Secret Key—the shared secret key configured for the ASA on the radius server
Example AAA Server Configuration on the ASA
- Once you have configured the AAA server group and server, navigate to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles in order to configure WebVPN to use the new AAA configuration.
Note: Even though this example uses WebVPN, you can set any remote access connection profile (tunnel group) to use this AAA setup.
- Choose the profile for which you want to configure AAA, and click Edit.
- Under Authentication choose the RADIUS server group that you created earlier. Click OK when finished.
Command Line Interface
Complete these steps in the command line interface (CLI) in order to configure the ASA to communicate with the ACS server and authenticate WebVPN clients.
ciscoasa#configure terminal
!--- Configure the AAA Server group.
ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
!--- Configure the AAA Server.
ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)# key secretkey
ciscoasa(config-aaa-server-host)# exit
!--- Configure the tunnel group to use the new AAA setup.
ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group RAD_SRV_GRP
Verify
Use this section in order to confirm that your configuration works properly.
Test with ASDM
Verify your RADIUS configuration with the Test button on the AAA Server Groups configuration screen. Once you supply a username and password, this button allows you to send a test authentication request to the radius server.
- Choose Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.
- Select your desired AAA Server group in the top pane.
- Select the AAA server that you want to test in the lower pane.
- Click the Test button to the right of the lower pane.
- In the window that appears, click the Authentication radio button, and supply the credentials with which you want to test. Click OK when finished.
After the ASA contacts the AAA server, a success or failure message appears.
Test with CLI
You can use the test command on the command line in order to test your AAA setup. A test request is sent to the AAA server, and the result appears on the command line.
ciscoasa#test aaa-server authentication RAD_SVR_GRP host 192.168.1.2 username kate password cisco123
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
INFO: Authentication Successful