Cisco ASA authentication with SecurEnvoy (RADIUS) for Remote Access VPN

Below is the Cisco ASA and SecurEnvoy Configuration I did at one of my customer site.

Requirement

One of my customer currently uses ACS servers for VPN authentication. They also had a SecurEnvoy server which is used to assign One Time Passcodes (OTP) to authenticating users. The VPN user authenticates to ASA which passes authentication to ACS which in turn send authentication request to SecurEnvoy boxes. Once the SecurEnvoy confirms authentication as Success or failure the ACS servers will put the user in the desired group.

To authenticate external vendors they had local accounts created on ACS.

As can be seen from above the only reason the customer used ACS servers was to add the users to a particular group and to allow access for external vendors. As ACS didn’t add much value to our VPN deployment we decided to replace ACS.

Following were the key goals of the project:

  • Remove Cisco ACS servers for VPN authentication in order to simplify VPN authentication.
  • Move external vendor accounts to ADAM instance which is integrated with SecurEnvoy.
  • Use Active Directory Groups for granting user access to Corporate VPN.

Hardware & Software Used

  • Cisco ASA 5520 v8.2.3
  • Windows Server 2003 Standard R2 with SecurEnvoy 5.3 installed on VMware

SecurEnvoy Configuration:

A single SecurEnvoy server can be used for multiple domains. Read More →