10-30-2009 10:04 AM - edited 02-21-2020 04:22 PM
Hello all,
I have successfully setup my ASA 5510 to accept L2TP connections from the built in Windows XP/Vista VPN clients. What I am trying to get working now is to authenticate users along with their group names using the LOCAL database on the ASA. (Ex. username@tunnelgroup) My tunnelgroups are setup using pre-shared keys and so far I have had no luck in accomplishing this. When I do a debug on the connection is always defaults to the DefaultRAGroup even though I specify a group using the username@tunnelgroup format on the client.
Can what I am trying to do even be done and if so how? Any suggestions are more than welcomed!
11-17-2009 02:03 AM
hello
i'm fighting against the same probleme
did you resolve it ??
11-17-2009 06:37 AM
Unfortunately, I have not. I have went to relying more on the Cisco VPN Client and traditional IPSEC methods. I would love to find a solution though.
11-17-2009 07:07 AM
all right thanks !
11-26-2009 05:33 AM
all right
i found a way to bypass defaultragroup restriction for L2TP/IPSEC client less
i use AAA local user profil to manage NAC Acl with a specific @IP/user
and a windows script
to remove defaultgetaway mounted by the ASA so as to setup a split tunneling
and mount route to the correct vlan
So I can redirect my users in their vlan right to thier NETWORK acl
But every users use the same preshared key
regards
01-11-2010 01:40 PM
Because I was unable to find a solution to this problem I opened an official TAC request through Cisco and this is the answer I received:
L2TP over IPSEC connection will not fall on any defined tunnel-group unless there is an external auth-server. With LOCAL authentication it will always fall on DefaultRAGroup. Using Local authentication, you can create different VPN group-policies and can bind it with user-attributes. But its usually a feasible option when you have users around 20-40.
This is usually carried out with External Authentication server database like AD, RADIUS.
Not that I have any reason to doubt Cisco's support, but can anybody confirm this? It seems like doing this should be a fairly simple task, but it sure doesn't seem to be working out that way.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide