VPN – Cisco ASA

In this topic, you will learn how to configure Cisco ASA to work together with Portnox™ Cloud and 802.1X RADIUS authentication for VPN connections.

Important: This guide provides general instructions for integrating Portnox Cloud with specific third-party devices. While we aim to provide helpful examples for commonly used models, configurations may vary across manufacturers, models, and environments. As a result, we cannot guarantee that these steps will work in every scenario. For questions or issues related to RADIUS setup – which is an industry standard and not specific to Portnox – or device-specific settings and troubleshooting, we recommend consulting the device manufacturer’s documentation and contacting their support team. While Portnox Support is happy to assist where possible, please note that detailed configuration of third-party devices is typically best handled by the manufacturer.
Warning: This topic contains documentation prepared by our support agents more than 12 months ago. It may not cover the newest models or the newest interfaces of NAS devices. We’re working on bringing you updated documentation for NAS devices in the near future. However, the methods of setting up third-party devices may still change when the manufacturers update their firmware or release new models.
  1. Create a RADIUS server group by navigating to Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups and clicking on Add.

  2. In the Add AAA Server Group window that appears:

    1. Specify a name for the AAA Server Group.
    2. In Protocol, select RADIUS.
    3. Enter a Realm-id.
  3. Select the AAA server group you created, and in the Servers in the Selected Group section, click on Add.

  4. In the Edit AAA Server window that appears:

    1. Enter the cloud RADIUS details: the IP address, the authentication port, the accounting port, and the shared secret.
    2. Update the Timeout to 30 seconds.
    3. Verify that the Microsoft CHAPv2 Capable checkbox is checked.
    4. Click on OK.
  5. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles, and in the Connection Profiles section, click on Add.

  6. In the Edit AnyConnect Connection Profile window that appears:

    1. Go to the Basic tab.
    2. Specify a Name for the connection profile.
    3. Specify Aliases for the connection profile.
    4. Select the AAA server group that was created earlier.
    5. Select Client Address Pools.
    6. Check the Enable SSL VPN client protocol checkbox.
    7. Specify DNS servers.
    8. Specify Domain Name.
    9. Go to the Advanced tab.
    10. Check the Enable password management checkbox.
    11. Click on Apply.

  7. Verify that:

    1. In the Access Interfaces section, the Enable Cisco AnyConnect VPN Client access on the interface selected in the table below checkbox is checked.
    2. In the Login Page Settings section, the Allow user to select connection profile on the login page checkbox is checked.