Go Premium for a chance to win a PS4. Enter to Win


Setting up Cisco VPN using RADIUS

Posted on 2013-11-04
Medium Priority
Last Modified: 2013-11-08
The technology service company that I work for has been setting up every customer a VPN user account without using RADIUS.  I am new to the company 1 and half years and we have some almost everyone is new and we wondered why we aren't using RADIUS for setting up these companies.  99% of them have a domain server and 99% of them require VPN access.  We have standardized the use of Cisco ASA devices.  So is there a good reason why we shouldn't use RADIUS?  Is it best practice to use RADIUS?  We have been arguing with the owner about this for months.  Our clients typically have a tech guy and they ask why we didn't set it up.  I don't have an answer for them.  Anyway our boss will not listen to use so I need outside help.  If you have any Cisco, MS or CIISP certs please include what you have so i have fuel for the fire.  

Question by:Justin Alcorta
  • 2
LVL 17

Expert Comment

ID: 39623637
you may use Radius and ... you may as well not ...
basically, without using radius you are relying on a local database account into the ASA, which is pretty manageable by ASA administrator. You may configure alerts and logging on it keeping trace of every single vpn connection and as well archive them into log files. So it is really a "full world", all managed by ASA administrator.
The other way round, when you use Radius, you are using Active Directory accounts to do a Single SignOn logon and get authorized to reach what that user would be when logged into the LAN. This of course will be managed by AD administrators and this is the main difference into any organization.
So the question is ... who must be responsible of VPN connections into you organization ? Who is the one that will be called up overnight when something is not going as expected ?

I could go on with thousands life examples, but for any point assigned to one technology, you will always find points to the other one as well.

hope this helps

Author Comment

by:Justin Alcorta
ID: 39624961
Max thanks for the info.  Right now we have more people that can manage AD than ASA devices.  Is there any security advantage or disadvantage from RADIUS?  Thanks,
LVL 17

Accepted Solution

max_the_king earned 2000 total points
ID: 39626648
Radius may well be considered secure, and it is a well known security standard. So it is a security advantage, no doubt.
You will end up creating a rule on the ASA that will permit access to a Radius server for authentication and tipically you will create a security group on Active Directory which will be filled up with all or a subset of your users. This means that whenever you need to add up any domain user to the list of VPN users, you just need to add those users to that security group. Of course those users will still need the vpn cisco client to bring up ipsec tunnel to ASA and their credentials will have to match the Active Directory user and password, and no longer the local ASA database.

hope this helps

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question