I have been trying to setup an L2TP VPN for a customer on an ASA 5505. I setup the Active Directory AAA Server, tested that and it seams to work (authentication and authorization both succeed, and I am able to pull a list of Group Names). Clientless L2TP VPN through the Wizard. Which at first seamed to work as the log indicated that Phase 1 and Phase 2 was successfull with the connection but the Windows 7 Client I'm trying to connect always comes back with Error 691: Username or Password not recognized. The two users I've tried to log in as are both members of the VPN Access group and if I user thier respective username/passwords in the AAA Server's Test dialog, they authenticate successfully. Any help or ideas would be greatly appreciated. Below I will include the configuration for the ASA. Also of note is that this ASA already has a fully functional IPSec Site-to-Site tunnel that works correctly, and thier is probably a lot of extra garbage in the VPN configuration that doesnt need to be thier as other hands have been tinkering with this device trying to get the VPN to work. Thanks in advance.

: Saved
:
ASA Version 8.2(5) 
!
hostname CYLON-CONTROLS-01
domain-name cylonenergy.local
enable password rTzJdPJDxaMe6sUX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 50.79.172.129 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 10
 ip address 10.10.0.1 255.255.255.0 
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.20.4
 domain-name cylonenergy.local
object-group service ElutionsTCP tcp
 port-object eq 3024
 port-object eq 3026
 port-object eq 3028
object-group service ElutionsUDP udp
 port-object range 1 65535
object-group service DM_INLINE_TCP_1 tcp
 group-object ElutionsTCP
 port-object eq www
object-group service BacNet47808 udp
 port-object eq 47808
object-group service L2TP-IPSec udp
 port-object eq 1701
access-list wan-in extended permit esp any any 
access-list wan-in extended permit udp any any eq 1701 
access-list wan-in extended permit udp any any eq isakmp 
access-list wan-in extended permit tcp any host 50.79.172.131 eq sip 
access-list wan-in extended permit tcp any host 50.79.172.131 eq 5061 
access-list wan-in extended permit udp any host 50.79.172.131 eq sip 
access-list wan-in extended permit udp any host 50.79.172.131 eq 5061 
access-list wan-in extended permit udp any host 50.79.172.131 range 30000 30999 
access-list wan-in extended permit tcp any host 50.79.172.131 eq www 
access-list wan-in extended permit tcp any host 50.79.172.131 eq https 
access-list wan-in extended permit tcp any host 50.79.172.131 eq 8000 
access-list wan-in extended permit icmp any host 50.79.172.131 
access-list wan-in extended permit tcp any host 50.79.172.131 eq 7117 
access-list wan-in extended permit tcp any host 50.79.172.131 eq 7100 
access-list wan-in extended permit tcp any host 50.79.172.131 eq 7134 
access-list wan-in extended permit tcp any host 50.79.172.131 eq 7505 
access-list wan-in extended permit tcp any host 50.79.172.130 eq 3389 
access-list wan-in extended permit tcp any host 50.79.172.132 object-group DM_INLINE_TCP_1 
access-list wan-in extended permit udp any host 50.79.172.132 object-group ElutionsUDP 
access-list wan-in extended permit udp any any object-group BacNet47808 
access-list nonat extended permit ip 192.0.0.0 255.0.0.0 20.0.0.0 255.255.255.0 
access-list split standard permit 192.168.20.0 255.255.255.0 
access-list acl extended permit ip 192.168.0.0 255.255.255.0 30.0.0.0 255.255.255.0 
access-list acl extended permit ip 192.168.0.0 255.255.0.0 30.0.0.0 255.255.255.0 
access-list acl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list acl extended permit ip 192.168.20.0 255.255.255.0 10.10.0.0 255.255.255.0 
access-list acl extended permit ip any 192.168.120.0 255.255.255.0 
access-list ac extended permit ip 30.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list inside_access_in extended permit udp any any object-group BacNet47808 
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log disable 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool NHVPNClients 192.168.120.100-192.168.120.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.20.4 50.79.172.130 netmask 255.255.255.255 
static (outside,inside) 192.168.20.90 50.79.172.132 netmask 255.255.255.255 
static (inside,outside) 50.79.172.132 192.168.20.91 netmask 255.255.255.255 
static (inside,outside) 50.79.172.131 192.168.20.250 netmask 255.255.255.255 
static (inside,outside) 192.168.20.250 50.79.172.131 netmask 255.255.255.255 
static (inside,outside) 50.79.172.130 192.168.20.4 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group wan-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.79.172.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 action terminate
dynamic-access-policy-record VpnADAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host 192.168.20.4
 ldap-base-dn dc=cylonenergy, dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=admin,cn=users,dc=cylonenergy,dc=local
 server-type microsoft
 ldap-attribute-map Dial-In-Permisions
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set Firebox esp-3des esp-sha-hmac 
crypto ipsec transform-set tset esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn 1 set transform-set tset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_DES_MD5
crypto map cmap 1 match address outside_1_cryptomap
crypto map cmap 1 set pfs 
crypto map cmap 1 set peer 89.101.141.61 87.192.230.97 
crypto map cmap 1 set transform-set ESP-3DES-SHA
crypto map cmap 1 set security-association lifetime seconds 86400
crypto map cmap 1 set security-association lifetime kilobytes 1288000
crypto map cmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map cmap interface inside
crypto map cmap interface outside
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 32
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 34
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 36
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 38
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.20.4 255.255.255.255 inside
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh 30.0.0.2 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.10.0.2-10.10.0.32 dmz
dhcpd dns 75.75.76.76 75.75.75.75 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.20.4
 vpn-tunnel-protocol l2tp-ipsec 
 default-domain value cylonenergy.local
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.20.4
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec svc 
 default-domain value cylonenergy.local
username paddy.gunn password E8uRHkYxXMJQht9e encrypted privilege 15
username everett.dickey password ZYGl25WJpqEhPiF5 encrypted
username mike.rizzo password NTDUfLOG63gK.HOS encrypted
username Administrator password Sx7aRmMH/KdSBL3R encrypted privilege 15
username Administrator attributes
 vpn-group-policy DefaultRAGroup
username cisco password U9jfi27.up5bKt1T encrypted
username marina.greene password ATIKCHPPDcQXkpWa encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 10
tunnel-group DefaultRAGroup general-attributes
 address-pool NHVPNClients
 authentication-server-group ActiveDirectory LOCAL
 default-group-policy DefaultRAGroup
 strip-realm
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 peer-id-validate cert
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 10
tunnel-group 87.192.230.97 type ipsec-l2l
tunnel-group 87.192.230.97 ipsec-attributes
 pre-shared-key *****
tunnel-group 89.101.141.61 type ipsec-l2l
tunnel-group 89.101.141.61 ipsec-attributes
 pre-shared-key *****
tunnel-group-map default-group remote
!
!
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:4309d396bf5e8276337e17011f9b2aec
: end
asdm location 50.79.172.129 255.255.255.255 inside
asdm location 192.168.20.4 255.255.255.255 inside
asdm location 50.79.172.130 255.255.255.255 inside
no asdm history enable