Problems with ipsec remota access and external group policy

Unanswered Question
Jul 6th, 2008

Hi,

I have an ASA that is using ACS as the radius authentication server.

My problem is with VPN remote access.

When i configure group-policy external and use this policy as the default policy for the tunnel-group (i download the VPN attributes from the ACS), the ASA shows an authentication error, telling that the the username or pasword is not valid.

On the other hand, when i use only the command "authentication-server-group", the VPN works fine.

Does any body know why the group-policy external command is not working? I can't find any example on cisco.com

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 07/07/2008 - 05:43

You have to understand the difference between the 'group-policy' and the 'tunnel-group'. Whatever you define on ACS takes care of the group-policy part. The tunnel-group part still needs to be taken care of on the ASA itself. This is how the ASA differs from the VPN Concentrator in a way. The default authentication is using the local database. To use Radius, you need to use the authentication-server-group command. Have a look at this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

Regards

Farrukh

Actions

This Discussion