ASA RemoteVPN - ConnectionProfile and Group Policy do not match

Unanswered Question
Oct 15th, 2009
User Badges:

ASA - 8.0(4)

I've set up several different VPN profiles in the past for access to different sets of hosts. Some are LOCAL user authentication, some are RADIUS.

I am now trying to set up an IPSec Connection Profile using RADIUS authentication. When I cannot and authenicate, I found the ASA is not using the Group Policy I set up to select traffic to my hosts. It is using a Group Policy I use for maintenance that gives carte blanche access to all my inside addresses.

I checked everything along the line, and I have specifed the correct split-tunnel ACL and filtering ACL in the connection profile.

The other strange thing is I created a testID on the ASA, and set the connection profile to LOCAL authentication - it connects using to correct/matching group policy and I can access the 3 hosts as configured.

Is there something I'm missing trying to use RADIUS? Why would it pull a different group policy?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rwchenow Fri, 10/16/2009 - 11:10
User Badges:

Thanks Andrew. That was the hint I needed. We have so few VPN users, I forget what I did the last time. Guess it's time to write up a procedure.



Herbert Baerten Fri, 10/16/2009 - 02:30
User Badges:
  • Cisco Employee,

Is the Radius server configured to send the IETF "Class" attribute? If so, then ASA will use that as the group-policy.

If you want to check what happens:

debug crypto isakmp 200

debug radius

If you'd like us to have a look, please post your config and the above debugs.




This Discussion