Hello,
I’ve got a problem with my ASA 5510 and my L2TP/IPSec VPN.

In my environment, there is an active directory domain controller, a radius-server (NPS) and the ASA 5510 (Version 9.1(5)21). The ASA is configured to authenticate the users using EAP-PROXY against the radius-server, which uses PEAP-MSCHAPV2. That's already working so far.

The problem arises, when I try to configure an ACE for the filter of the Group Policy, which filters based upon the user. When I check the VPN statistics using the ASDM, I see the session and ASDM tells me, that the Username is <Netbios-Name>\<USER>. Under the ACL-Tab there is an ACL “access-list VPN line 1 extended permit ip user is <Netbios-Name>\<USER> any any (hitcnt=0) <Hex-Number>”, but for some reason, the ACLs based on users aren’t hit. If I replace the <Netbios-Name>\<USER> in the ACL with LOCAL\<User> and authenticate with <USER> (the NPS still figures out how to authenticate the user against the AD) instead of <Netbios-Name>\<USER>, the ACLs do get hit. How can I tell the ASA, that the authenticated users are domain users, so that the ACLs do get hit?

Unfortunately, Domain Usergroups don’t work at all, probably because the LDAP Server reports the group members as <Netbios-Name>\<USER> which then doesn’t work due to the first problem.

I do not want to use LDAP directly to authenticate the users, even though the above two problems disappear if I do, because then I have to use PAP, which sends the password in plaintext.

Does someone here know how I could fix this?

With best regards
Alex

EDIT: When I log into the VPN using <Netbios-Name>\<USER>, the ASDM under Monitoring => Properties => Identity => Users shows the user as LOCAL\<Netbios-Name>\<USER>.