ASA RemoteVPN - ConnectionProfile and Group Policy do not match

rwchenow · ‎10-15-2009

ASA - 8.0(4)

I've set up several different VPN profiles in the past for access to different sets of hosts. Some are LOCAL user authentication, some are RADIUS.

I am now trying to set up an IPSec Connection Profile using RADIUS authentication. When I cannot and authenicate, I found the ASA is not using the Group Policy I set up to select traffic to my hosts. It is using a Group Policy I use for maintenance that gives carte blanche access to all my inside addresses.

I checked everything along the line, and I have specifed the correct split-tunnel ACL and filtering ACL in the connection profile.

The other strange thing is I created a testID on the ASA, and set the connection profile to LOCAL authentication - it connects using to correct/matching group policy and I can access the 3 hosts as configured.

Is there something I'm missing trying to use RADIUS? Why would it pull a different group policy?

Thanks,

-Roy-

andrew.prince · ‎10-16-2009

Roy,

Have you configured the RADIUS server group & settings, and configure specific RADIUS servers to be in that group correctly?

rwchenow · ‎10-16-2009

Thanks Andrew. That was the hint I needed. We have so few VPN users, I forget what I did the last time. Guess it's time to write up a procedure.

Thanks,

-Roy-

andrew.prince · ‎10-17-2009

np - glad to help

Herbert Baerten · ‎10-16-2009

Is the Radius server configured to send the IETF "Class" attribute? If so, then ASA will use that as the group-policy.

If you want to check what happens:

debug crypto isakmp 200

debug radius

If you'd like us to have a look, please post your config and the above debugs.

hth

Herbert