Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

VPN Remote Users - Local and Radius together

geraldchow1
Level 1
Level 1

‎06-03-2014 02:36 PM

Hello,

 

I am looking for assistance on adding a radius config. for vpn user authentication. Currently, using local db and would like to

add use windows A/D radius and keep the local auth. also for some users.

This is for a 5505.

 

 

THank You

 

Labels:
0 Helpful
2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎06-03-2014 04:42 PM

Hi ,

Radius configuration for VPN user authentication is as follows:-

ciscoasa(config)# aaa-server <server_group_name> protocol RADIUS
ciscoasa(config)# exit
ciscoasa(config)# aaa-server <server_group_name> (interface) host <IP address of the server>
ciscoasa(config-aaa-server-host)# key <secret key>

Configure the tunnel group to use the new AAA setup.

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group <server_group_name>

You can follow this link to configure ASA to use radius for vpn user authentication.
For local database authentication , you can configure the connection profiles and have this command :-

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group local
(This is default parameter for connection profiles)

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-07-2014 04:44 PM

Hi Geraldchow1,

For the same tunnel-group, you can't authenticate users from radius database (integrated with AD) and local users (created on the ASA db) at the sametime. In the below listed command you would see a LOCAL keyword at the end of the command 

ciscoasa(config)# tunnel-group <tunnel-group-name> general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group RAD_SRV_GRP LOCAL

where
RAD_SRV_GRP is server group Identifies the already configured authentication server or group of servers.


LOCAL is a keyword that is case sensitive and Requires authentication against the local user database if all of the servers in the server group have been deactivated due to communication failures. 

 

Regards,

Jatin Katyal

** Do rate helpful posts **

~Jatin
0 Helpful
Customers Also Viewed These Support Documents