Setting up Cisco ASA VPN to use both radius and local users

vpn cisco cisco-asa radius
6,859

In a Cisco ASA remote access VPN you do not have the option of adding multiple AAA server groups for a single connection profile.

Since each AAA server group is limited to one protocol you cannot have both RADIUS and LOCAL as valid authentication servers on one connection profile.

The only way to do that is for LOCAL to be the fallback AAA server group, but as you know the fallback only becomes active if the ASA is not able to communicate with the primary AAA server group.

In order to do what you want, I suggest creating one connection profile that has the RADIUS AAA server group and a second connection profile that has the LOCAL AAA server group.

You can use the same group policy, address assignment, and crypto map for both connection profiles. The difference is the connection profile name and you will need to choose the right profile name from the AnyConnect login screen or use the proper Cisco VPN Client PCF file.

UPDATE: If you are trying to have AAA authentication for the VPN but not allow the LOCAL authentication to be used for the VPN if the AAA server isn't available just don't enable fallback on the VPN Connection Profile. http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html#wp1062034

Share:
6,859

Related videos on Youtube

Darinth
Author by

Darinth

Updated on September 18, 2022

Comments

  • Darinth
    Darinth almost 2 years

    I've got a Cisco ASA setup with L2TP/IPSec VPN, all is working well except for one minor issue. Ideally, I'd like to be able to log on to the VPN using either that RADIUS server users or the local user database on the ASA. Right now, everything uses RADIUS users and I've turned on the option to use the local database as a fallback.

    It was my hope that when it said fallback that if the RADIUS server failed to authenticate a username, it would check the local database. Unfortunately, this isn't the case. The user that I have on the ASA as an emergency isn't being used, at least not while the RADIUS server is accessible. I can run a test by disabling the RADIUS server temporarily to see if the ASA will indeed fallback and use the local database once the radius server is inaccessible, which is what I believe will happen. I'd really prefer that the VPN just be able to authenticate against either RADIUS or the local user database all of the time. Is there any way to setup a Cisco ASA's VPN to simultaneously use both the local user database and a RADIUS server?

  • Brain2000
    Brain2000 over 7 years
    I'm actually looking to do the opposite, disable the LOCAL group so that if the AAA server group servers are all offline, it will simply not authenticate any VPN users. I know the reactivation timed is the way to do that, but that seems sketchy, because if I can disable all the servers within 30 seconds, it will still fall back to LOCAL, which may have a password that never changes, thus allowing a security hole. Is there a permanent way to disable LOCAL for VPN, but use it for CLI access?
  • user5870571
    user5870571 over 7 years
    Yes, there is. Please see my updated answer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication
Can't access shared drive when connecting over VPN
Cisco ASA - Restrict IP for WebVPN access
Cisco ASA WebVPN RDP Plugin Fullscreen
Cisco Anyconnect: does it support Start Before Login (SBL) on Vista?
Cisco ASA VPN Uptime
Phase 2 Mismatch when connecting Windows 7 to ASA5505 VPN
Any problems usinga GoDaddy SSL certificate on a Cisco ASA firewall?
Cisco ASA 5505 - L2TP over IPsec
Cisco ASA - manually start a VPN tunnel