Using multiple group policies with L2TP over IPSec on Cisco ASA?

ryabutler · ‎11-04-2015

Hi,

I have a question which I'm not sure if Cisco ASA setup with L2TP/IPSec can accomplish.

Right now I have a Cisco ASA setup for L2TP over IPSec with LDAP authentication working. We are also using a pre-shared key.

What I want is to setup is different group policies on the Cisco ASA that are mapped to a particular LDAP group. These group policies will have different split tunnel lists (or filters) for what networks that user can access based on the group they are assigned to.

I know this is possible with SSL VPN and Client IPSec.

Is this possible with a L2TP/IPsec setup on a Cisco ASA? If so, what configuration do I need to accomplish this?

Thank you!

-rya

rvarelac · ‎11-08-2015

Hi Rya,

Yes, this would be possible using the LDAP mapping feature , check the document below for configuration and guide.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Hope it helps

-Randy-

Peter Koltl · ‎11-17-2015

Hi Rya,

I'm just testing L2TP/IPsec/LDAP with ASA 9.5(1) and it sends no LDAP requests which seems to be a bug. What is your software version? I need a working (not very old) version.

Thanks,

Péter

Peter Koltl · ‎01-09-2016

Ok, the reason it did not send any requests was that the client and the ASA could not negotiate a common PPP auth protocol over L2TP (CHAP or PAP or MSCHAPv2...)