2

I've got a Cisco ASA setup with L2TP/IPSec VPN, all is working well except for one minor issue. Ideally, I'd like to be able to log on to the VPN using either that RADIUS server users or the local user database on the ASA. Right now, everything uses RADIUS users and I've turned on the option to use the local database as a fallback.

It was my hope that when it said fallback that if the RADIUS server failed to authenticate a username, it would check the local database. Unfortunately, this isn't the case. The user that I have on the ASA as an emergency isn't being used, at least not while the RADIUS server is accessible. I can run a test by disabling the RADIUS server temporarily to see if the ASA will indeed fallback and use the local database once the radius server is inaccessible, which is what I believe will happen. I'd really prefer that the VPN just be able to authenticate against either RADIUS or the local user database all of the time. Is there any way to setup a Cisco ASA's VPN to simultaneously use both the local user database and a RADIUS server?

Darinth
  • 211
  • 3
  • 10

1 Answers1

2

In a Cisco ASA remote access VPN you do not have the option of adding multiple AAA server groups for a single connection profile.

Since each AAA server group is limited to one protocol you cannot have both RADIUS and LOCAL as valid authentication servers on one connection profile.

The only way to do that is for LOCAL to be the fallback AAA server group, but as you know the fallback only becomes active if the ASA is not able to communicate with the primary AAA server group.

In order to do what you want, I suggest creating one connection profile that has the RADIUS AAA server group and a second connection profile that has the LOCAL AAA server group.

You can use the same group policy, address assignment, and crypto map for both connection profiles. The difference is the connection profile name and you will need to choose the right profile name from the AnyConnect login screen or use the proper Cisco VPN Client PCF file.

UPDATE: If you are trying to have AAA authentication for the VPN but not allow the LOCAL authentication to be used for the VPN if the AAA server isn't available just don't enable fallback on the VPN Connection Profile. http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html#wp1062034

user5870571
  • 3,094
  • 2
  • 12
  • 35
  • I'm actually looking to do the opposite, disable the LOCAL group so that if the AAA server group servers are all offline, it will simply not authenticate any VPN users. I know the reactivation timed is the way to do that, but that seems sketchy, because if I can disable all the servers within 30 seconds, it will still fall back to LOCAL, which may have a password that never changes, thus allowing a security hole. Is there a permanent way to disable LOCAL for VPN, but use it for CLI access? – Brain2000 Nov 09 '16 at 20:55
  • Yes, there is. Please see my updated answer. – user5870571 Nov 09 '16 at 22:36