This article will help with setting up a Cisco ASA 5500-series firewall to use RADIUS to query a Microsoft Windows Active Directory domain controller to authenticate users who are connecting in using the Cisco VPN client.

1. Install the Internet Authentication Service (IAS) Windows component

2. Open the IAS console

3. Add the Cisco ASA as a RADIUS client

4. Edit the remote access policy in the IAS console as needed; enable “Unencrypted authentication (PAP, SPAP)” on the Authentication tab of the profile

5. Connect to your ASA (assuming you are using the ASDM)

6. Go to the Properties tab, then to AAA Setup à AAA Server Groups

7. Create new server group

8. Add a server to the group

9. Test the authentication

10. Go into your VPN settings on the ASA (General à Tunnel Group à properties of the remote access VPN)

11. Go to the General à Authentication tab and change the Authentication Server Group property to the new AAA Server Group that you just created

12. Check the box to enable LOCAL authentication if the server group fails

13. Test it with an Active Directory user account from outside using the Cisco VPN client

2 Replies to “Configure Cisco ASA remote access VPN to use RADIUS”

  1. It’s not necessary to use unsecured PAP authentication. MS-CHAP and MS-CHAPv2 are also supported authentication protocols, however the process of enabling this is not particularly intuitive.. which is to use password-management command in the VPN tunnel group. This consequently enables password change functionality.. but for those who don’t want to use it, you can disable the password reminder notification by setting the reminder threshold to zero. See for details.

    1. Thanks for the tip. I’ll keep that in mind. I have not yet had a need for the more secure authentication methods as the ASA deployments I have done were for an environment where the LAN interface of the ASA was on the same local subnet as the RADIUS server. Therefore, security of the RADIUS request was not of great concern. I would obviously want something more secure if the ASA was sending requests from a DMZ or sending over the Internet. Thanks again!

Leave a Reply

Your email address will not be published. Required fields are marked *