Setting up Cisco VPN using RADIUS

Posted on 2013-11-04
Last Modified: 2013-11-08
The technology service company that I work for has been setting up every customer a VPN user account without using RADIUS.  I am new to the company 1 and half years and we have some almost everyone is new and we wondered why we aren't using RADIUS for setting up these companies.  99% of them have a domain server and 99% of them require VPN access.  We have standardized the use of Cisco ASA devices.  So is there a good reason why we shouldn't use RADIUS?  Is it best practice to use RADIUS?  We have been arguing with the owner about this for months.  Our clients typically have a tech guy and they ask why we didn't set it up.  I don't have an answer for them.  Anyway our boss will not listen to use so I need outside help.  If you have any Cisco, MS or CIISP certs please include what you have so i have fuel for the fire.  

Question by:justind39
  • 2
LVL 15

Expert Comment

ID: 39623637
you may use Radius and ... you may as well not ...
basically, without using radius you are relying on a local database account into the ASA, which is pretty manageable by ASA administrator. You may configure alerts and logging on it keeping trace of every single vpn connection and as well archive them into log files. So it is really a "full world", all managed by ASA administrator.
The other way round, when you use Radius, you are using Active Directory accounts to do a Single SignOn logon and get authorized to reach what that user would be when logged into the LAN. This of course will be managed by AD administrators and this is the main difference into any organization.
So the question is ... who must be responsible of VPN connections into you organization ? Who is the one that will be called up overnight when something is not going as expected ?

I could go on with thousands life examples, but for any point assigned to one technology, you will always find points to the other one as well.

hope this helps

Author Comment

ID: 39624961
Max thanks for the info.  Right now we have more people that can manage AD than ASA devices.  Is there any security advantage or disadvantage from RADIUS?  Thanks,
LVL 15

Accepted Solution

max_the_king earned 500 total points
ID: 39626648
Radius may well be considered secure, and it is a well known security standard. So it is a security advantage, no doubt.
You will end up creating a rule on the ASA that will permit access to a Radius server for authentication and tipically you will create a security group on Active Directory which will be filled up with all or a subset of your users. This means that whenever you need to add up any domain user to the list of VPN users, you just need to add those users to that security group. Of course those users will still need the vpn cisco client to bring up ipsec tunnel to ASA and their credentials will have to match the Active Directory user and password, and no longer the local ASA database.

hope this helps

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PCI scan - CIFS NULL Session Permitted 10 72
Security risks of IM, RM & messaging systems 2 90
Sharepoint 2010 Audit Logs 11 79
Server Backup on 2016 Essentials Box 1 38
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now