Integration Guide for Cisco Remote Access with GreenRADIUS 2FA

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your Cisco ASA

Configuring GreenRADIUS for Cisco ASA

In the GreenRADIUS web admin interface, add the Cisco ASA as a RADIUS client.

1. Click the Global Configuration tab
2. Click the Client-based Authentication Policies icon
3. Enter the IP address of the Cisco ASA. Then enter the same RADIUS secret twice. Then click the Add button.

Configuring the Cisco ASA

Add GreenRADIUS as a RADIUS Server

Before starting, ensure that network interfaces and client profiles are configured correctly.

1. Log in to the Cisco ASDM for ASA.
2. Open the "Configuration" tab and select "Remote Access VPN."
3. Locate "AAA/Local Users" and select "AAA Server Groups." Click the top right Add button to create a new "GreenRADIUS" RADIUS server group:

4. Select the new "GreenRADIUS" AAA Server Group and click the bottom right Add button. This will open the AAA Server window:

   • Server Name or IP Address: greenradius_ip_or_fqdn
   • Server Authentication Port: 1812
   • Server Accounting Port: 1812
   • Server Secret Key: Client Secret provided in the RADIUS Clients tab on the GreenRADIUS web admin interface.
   • Microsoft CHAPv2 Capable: Unchecked

5. Click OK. Choose "Test" to verify the above configuration:

6. Select "Authentication." Enter the test user's username and password and append the token's OTP to the password in the Password field, then press "OK."

Cisco Network Client Access Configuration

1. Locate "Network (Client) Access" on Remote Access VPN and select your "Connection Profile."
2. Under Authentication, choose Method: AAA and AAA Server Group: GreenRADIUS, then "OK."

3. We have successfully configured your Cisco ASA Remote Access VPN with GreenRADIUS. Now, just connect from a client machine by appending the token's OTP to the password.