We have a pair of 5520's and have just enabled the webvpn. What we would like to do is use radius (Class attribute OU=groupname) to lock a user to their vpn group when one connects and successfully authenticates with the webvpn. We currently authenticate users with the vpn client successfully, but without the class attribute and rely on pcf configs for the group assignment.
We would like to have it where a user can login on the webvpn and not have to choose what group they belong too. As it currently stands, our tests show that if you:
This will cause the user's tunnel group to be assigned as the default 'DefaultWEBVPNGroup' and the policy group default of 'DfltGrpPolicy'
My questions are:
1) How do you change the default tunnel policy to be something other than DefaultWEBVPNGroup?
2) How do you tell the ASA to use the 'Class' attribute from the Radius server for the webvpn authenticated user?
We use freeradius on a linux box.