L2TP/IPSEC with Group Authentication

Unanswered Question

Hello all,


I have successfully setup my ASA 5510 to accept L2TP connections from the built in Windows XP/Vista VPN clients. What I am trying to get working now is to authenticate users along with their group names using the LOCAL database on the ASA. (Ex. [email protected]) My tunnelgroups are setup using pre-shared keys and so far I have had no luck in accomplishing this. When I do a debug on the connection is always defaults to the DefaultRAGroup even though I specify a group using the [email protected] format on the client.


Can what I am trying to do even be done and if so how? Any suggestions are more than welcomed!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vpancisco Tue, 11/17/2009 - 02:03
User Badges:

hello


i'm fighting against the same probleme

did you resolve it ??

vpancisco Thu, 11/26/2009 - 05:33
User Badges:

all right


i found a way to bypass defaultragroup restriction for L2TP/IPSEC client less


i use AAA local user profil to manage NAC Acl with a specific @IP/user

and a windows script

     to remove defaultgetaway mounted by the ASA so as to setup a split tunneling

     and mount route to the correct vlan


So I can redirect my users in their vlan right to thier NETWORK acl


But every users use the same preshared key


regards

Because I was unable to find a solution to this problem I opened an official TAC request through Cisco and this is the answer I received:


L2TP over IPSEC connection will not fall on any defined tunnel-group unless there is an external auth-server. With LOCAL authentication it will always fall on DefaultRAGroup. Using Local authentication, you can create different VPN group-policies and can bind it with user-attributes. But its usually a feasible option when you have users around 20-40.


This is usually carried out with External Authentication server database like AD, RADIUS.



Not that I have any reason to doubt Cisco's support, but can anybody confirm this? It seems like doing this should be a fairly simple task, but it sure doesn't seem to be working out that way.


Thanks

Actions

This Discussion