10-15-2009 10:31 AM
ASA - 8.0(4)
I've set up several different VPN profiles in the past for access to different sets of hosts. Some are LOCAL user authentication, some are RADIUS.
I am now trying to set up an IPSec Connection Profile using RADIUS authentication. When I cannot and authenicate, I found the ASA is not using the Group Policy I set up to select traffic to my hosts. It is using a Group Policy I use for maintenance that gives carte blanche access to all my inside addresses.
I checked everything along the line, and I have specifed the correct split-tunnel ACL and filtering ACL in the connection profile.
The other strange thing is I created a testID on the ASA, and set the connection profile to LOCAL authentication - it connects using to correct/matching group policy and I can access the 3 hosts as configured.
Is there something I'm missing trying to use RADIUS? Why would it pull a different group policy?
Thanks,
-Roy-
10-16-2009 12:07 AM
Roy,
Have you configured the RADIUS server group & settings, and configure specific RADIUS servers to be in that group correctly?
10-16-2009 11:10 AM
Thanks Andrew. That was the hint I needed. We have so few VPN users, I forget what I did the last time. Guess it's time to write up a procedure.
Thanks,
-Roy-
10-17-2009 01:57 AM
np - glad to help
10-16-2009 02:30 AM
Is the Radius server configured to send the IETF "Class" attribute? If so, then ASA will use that as the group-policy.
If you want to check what happens:
debug crypto isakmp 200
debug radius
If you'd like us to have a look, please post your config and the above debugs.
hth
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide