Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2571
Views
0
Helpful
5
Replies

L2TP/IPSEC with Group Authentication

htcesh
Level 1
Level 1

‎10-30-2009 10:04 AM - edited ‎02-21-2020 04:22 PM

Hello all,

I have successfully setup my ASA 5510 to accept L2TP connections from the built in Windows XP/Vista VPN clients. What I am trying to get working now is to authenticate users along with their group names using the LOCAL database on the ASA. (Ex. username@tunnelgroup) My tunnelgroups are setup using pre-shared keys and so far I have had no luck in accomplishing this. When I do a debug on the connection is always defaults to the DefaultRAGroup even though I specify a group using the username@tunnelgroup format on the client.

Can what I am trying to do even be done and if so how? Any suggestions are more than welcomed!

Labels:
0 Helpful
5 Replies 5

vpancisco
Level 1
Level 1

‎11-17-2009 02:03 AM

hello

i'm fighting against the same probleme

did you resolve it ??

0 Helpful

htcesh
Level 1
Level 1
In response to vpancisco

‎11-17-2009 06:37 AM

Unfortunately, I have not. I have went to relying more on the Cisco VPN Client and traditional IPSEC methods. I would love to find a solution though.

0 Helpful

vpancisco
Level 1
Level 1
In response to htcesh

‎11-17-2009 07:07 AM

all right thanks !

0 Helpful

vpancisco
Level 1
Level 1
In response to htcesh

‎11-26-2009 05:33 AM

all right

i found a way to bypass defaultragroup restriction for L2TP/IPSEC client less

i use AAA local user profil to manage NAC Acl with a specific @IP/user

and a windows script

     to remove defaultgetaway mounted by the ASA so as to setup a split tunneling

     and mount route to the correct vlan

So I can redirect my users in their vlan right to thier NETWORK acl

But every users use the same preshared key

regards

0 Helpful

htcesh
Level 1
Level 1
In response to vpancisco

‎01-11-2010 01:40 PM

Because I was unable to find a solution to this problem I opened an official TAC request through Cisco and this is the answer I received:


L2TP over IPSEC connection will not fall on any defined tunnel-group unless there is an external auth-server. With LOCAL authentication it will always fall on DefaultRAGroup. Using Local authentication, you can create different VPN group-policies and can bind it with user-attributes. But its usually a feasible option when you have users around 20-40.

This is usually carried out with External Authentication server database like AD, RADIUS.

Not that I have any reason to doubt Cisco's support, but can anybody confirm this? It seems like doing this should be a fairly simple task, but it sure doesn't seem to be working out that way.

Thanks

0 Helpful
Customers Also Viewed These Support Documents