The other day I was configuring a test VPN 3000 with external groups that are configured on a RADIUS server, let's call one group SALES with group password 1234, which I have configured on the VPN 3000 as 'external' as well. I've assigned a few users to this group (call them Jack and Mary). So far no users can authenticate successfully (authentication fail).
After spending hours troubleshooting the problem, I configured a new user whose name is SALES and password is 1234 (same as the group) and assigned to group sales, got that config from a template. After doing so, Jack and Mary can authenticate and establish the tunnel.
The problem is fixed now but my question is why is this requirement? Does this mean that with every external group I create, I have to create a user with the same name as that group and assign it to the group so that the rest of the users in that group can authenticate normally?
I tried looking for answers on the web but so far I've found none.
Any explanation would be appreciated.
Yes this is the way its done. You need to add the 'external' group define on the VPNC/ASA as a 'user' on the ACS. It is used to authenticate the 'group' name/password itself. Have a look at: