Hello,

I've got a problem, I currently have an AnyConnect profile/tunnel-group which works as follows (this part is not the problem) :

• The user authenticates over a Radius server (freeradius)
• The Radius server connects to a LDAP database, and verify the user credentials
• Then, after the LDAP response (OK / NOK), the Radius Server reply to the ASA, and specify the value of the radius class attribute IETF-Class-25 to the ASA (OU=<group-policy>)
• Then, the ASA checks if such a group-policy exists (the name as to be the same that the one from the radius), and if so, the ASA "places"  the user in the group-policy

Well, above were just some explanations. It works perfectly with Cisco AnyConnect client or any Cisco SSL-VPN compliant client (openconnect under linux for instance).

The problem is, this doesn't work with IPsec clients, and i don't know exactly why. On the ASA, the connection profile is allright for AnyConnect and for IPsec/IKEv1. The difference is the configuration, with IPsec/IKEv1, as we use it, you need to enter a pre-shared key, and the configuration for the client is not the same (need to enter a tunnel-group, and the pre-shared key as the one on the IPsec/IKEv1 connection profile). But the system of "group-policy attribution from a radius attribute" doesn't work with such IPsec clients.

Logs say something like : "not possible to attribute an IP address ...", as it doesn't place the user in the right group-policy.

Resolved : it was a Radius issue ! With IPsec protocol it seems that it didn't return the group from the LDAP database, but

a default attribute from the users file. That's now fixed.

Thanks

Marc