35-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Information About AAA
RADIUS Server Support
The ASA supports the following RFC-compliant RADIUS servers for AAA:
Cisco Secure ACS 3.2, 4.0, 4.1, 4.2, and 5.x
Cisco Identity Services Engine (ISE)
RSA RADIUS in RSA Authentication Manager 5.2, 6.1, and 7.x
Microsoft

Authentication Methods

The ASA supports the following authentication methods with RADIUS:
PAP—For all connection types.
CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.
MS-CHAPv2—For L2TP-over-IPsec connections, and for regular IPsec remote access connections
when the password management feature is enabled. You can also use MS-CHAPv2 with clientless
connections.
Authentication Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,
RADIUS to Token-server, and RSA/SDI to RADIUS connections,
Note To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN
connection, password management must be enabled in the tunnel group general attributes. Enabling
password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS
server. See the description of the password-management command for details.
If you use double authentication and enable password management in the tunnel group, then the primary
and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does
not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication
request by using the no mschapv2-capable command.

Attribute Support

The ASA supports the following sets of RADIUS attributes:
Authentication attributes defined in RFC 2138.
Accounting attributes defined in RFC 2139.
RADIUS attributes for tunneled protocol support, defined in RFC 2868.
Cisco IOS Vendor-Specific Attributes (VSAs), identified by RADIUS vendor ID 9.
Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
Microsoft VSAs, defined in RFC 2548.
Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with
1 being the lowest level and 15 being the highest level. A zero level indicates no privileges. The first
level (login) allows privileged EXEC access for the commands available at this level. The second
level (enable) allows CLI configuration privileges.