1-5
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring IP Addresses for VPNs
  Configuring AAA Addressing
Configuring AAA Addressing
To use a AAA server to assign addresses for VPN remote access clients, you must first configure a AAA 
server or server group. See the aaa-server protocol command in the command reference and the 
“Configuring AAA Server Groups” section on page 1-11.
In addition, the user must match a connection profile configured for RADIUS authentication.
The following examples illustrate how to define a AAA server group called RAD2 for the tunnel group 
named firstgroup. It includes one more step than is necessary, in that previously you might have named 
the tunnel group and defined the tunnel group type. This step appears in the following example as a 
reminder that you have no access to subsequent tunnel-group commands until you set these values.
An overview of the configuration that these examples create follows:
hostname(config)# vpn-addr-assign aaa
hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)# authentication-server-group RAD2
To configure AAA for IP addressing, perform the following steps:
Step 1 To configure AAA as the address assignment method, enter the vpn-addr-assign command with the aaa 
argument:
hostname(config)# vpn-addr-assign aaa
hostname(config)#
Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter 
the tunnel-group command with the type keyword. The following example configures a remote access 
tunnel group.
hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)#
Step 3 To enter general-attributes configuration mode, which lets you define a AAA server group for the tunnel 
group called firstgroup, enter the tunnel-group command with the general-attributes argument.
hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)#
Step 4 To specify the AAA server group to use for authentication, enter the authentication-server-group 
command. 
hostname(config-general)# authentication-server-group RAD2
hostname(config-general)#
Firewall Mode Security Context
Routed
Transpare
nt Single
Multiple
Context System
• — • ——