WebVPN - ASA 7.2 - Tunnel Group - Two authentication method

Unanswered Question
Feb 22nd, 2007


I'am using ASA5520 for WebVPn and AAA authentication. AAA Authentication is set on default tunnel group. I have created a new tunnel group with local authentication.

at user level, I check "tunnel group lock" and choose the new tunnel group.

When i try to connect, local password is denied but AAA password is OK.

Has somebody already done this kind of conf ? Is it possible to do this ?

I didn't see in Cisco documentation taht it is not possible ....



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mchin345 Wed, 02/28/2007 - 08:55

I think its possible to authenticate with the local username and passowrd, but it depend on the tunnel group name and preshared key used in the WEB VPN Client.

obacati21 Mon, 03/05/2007 - 03:07

I succeeded to authenticate users with local database OR Radius database. But I need to authenticate some user with local authentication and others with Radius authentication in Webvpnmode.

I created two tunnel group policies and performed group lock at user?s definition but it did not work. I was always be challenged by the default policy ?.


kaachary Mon, 03/05/2007 - 03:14


For Group Lock to work, you need an external Radius server.

The Radius "Class" attribute 25, should have a field as "OU = groupname ".

This is how Group Lock is supposed to work. It doesnt work with Local AAA Authentication.

It will always default to Default Group Policy.

*Please rate if helped.



This Discussion