Since Mac OS X Snow Leopard (10.6), Apple has included a Cisco IPSec VPN client in the OS. In many environments where businesses deploy Open Directory (OD) as the main directory service for user authentication, it can be useful to also leverage it for VPN authentication, thereby reducing duplicate user account management.

Given an already-working Cisco VPN service (with AAA), the configuration to be added to the Cisco VPN router/concentrator is below.


  • Good working knowledge of Cisco IOS
  • Mac OS X Server version 10.6 or 10.7
  • Mac OS X (for client remote connections) version 10.6+

Note: Variables are listed inside angled brackets, e.g. <variable>

aaa authentication login <client_authentication_list_name> group radius local
aaa authorization network <isakmp_auth_list_name> local

If you have used CCP and its built-in wizards to configure the EasyVPN server, the client authentication list name might look like this:


And the isakmp authorization list name might look like this:


The isakmp profile should already exist if you have EasyVPN server configured and working:

crypto isakmp profile <ike_profile_name>
  match identity group <VPNGROUP>
  client authentication list <x_auth_list_name>
  isakmp authorization list <auth_list_name>
  client configuration address respond
  virtual-template 1

Add the RADIUS server information, including ports and unique RADIUS key:

radius-server host <OD_IP_ADDRESS> auth-port 1812 acct-port 1813 key <your_special_radius_key>

On your Mac OS X server, add the RADIUS client config to the RADIUS client file:


In the format of:

client <IP_OF_VPN_ROUTER> {
secret = <your_special_radius_key>
shortname = <arbitrary name to identify RADIUS client>

Manually start the RADIUS service via CLI:

sudo serveradmin start radius

The response from the server should be:

radius:state = "RUNNING"
radius:status = 0

You can monitor/debug RADIUS requests with

radius -X

You will now be able to authenticate VPN users against your Open Directory server!