Problems with ipsec remota access and external group policy

Unanswered Question
Jul 6th, 2008
User Badges:


I have an ASA that is using ACS as the radius authentication server.

My problem is with VPN remote access.

When i configure group-policy external and use this policy as the default policy for the tunnel-group (i download the VPN attributes from the ACS), the ASA shows an authentication error, telling that the the username or pasword is not valid.

On the other hand, when i use only the command "authentication-server-group", the VPN works fine.

Does any body know why the group-policy external command is not working? I can't find any example on

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Mon, 07/07/2008 - 05:43
User Badges:
  • Red, 2250 points or more

You have to understand the difference between the 'group-policy' and the 'tunnel-group'. Whatever you define on ACS takes care of the group-policy part. The tunnel-group part still needs to be taken care of on the ASA itself. This is how the ASA differs from the VPN Concentrator in a way. The default authentication is using the local database. To use Radius, you need to use the authentication-server-group command. Have a look at this link:




This Discussion