cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2568
Views
0
Helpful
5
Replies

L2TP/IPSEC with Group Authentication

htcesh
Level 1
Level 1

Hello all,

I have successfully setup my ASA 5510 to accept L2TP connections from the built in Windows XP/Vista VPN clients. What I am trying to get working now is to authenticate users along with their group names using the LOCAL database on the ASA. (Ex. username@tunnelgroup) My tunnelgroups are setup using pre-shared keys and so far I have had no luck in accomplishing this. When I do a debug on the connection is always defaults to the DefaultRAGroup even though I specify a group using the username@tunnelgroup format on the client.

Can what I am trying to do even be done and if so how? Any suggestions are more than welcomed!

5 Replies 5

vpancisco
Level 1
Level 1

hello

i'm fighting against the same probleme

did you resolve it ??

Unfortunately, I have not. I have went to relying more on the Cisco VPN Client and traditional IPSEC methods. I would love to find a solution though.

all right thanks !

all right

i found a way to bypass defaultragroup restriction for L2TP/IPSEC client less

i use AAA local user profil to manage NAC Acl with a specific @IP/user

and a windows script

     to remove defaultgetaway mounted by the ASA so as to setup a split tunneling

     and mount route to the correct vlan

So I can redirect my users in their vlan right to thier NETWORK acl

But every users use the same preshared key

regards

Because I was unable to find a solution to this problem I opened an official TAC request through Cisco and this is the answer I received:


L2TP over IPSEC connection will not fall on any defined tunnel-group unless there is an external auth-server. With LOCAL authentication it will always fall on DefaultRAGroup. Using Local authentication, you can create different VPN group-policies and can bind it with user-attributes. But its usually a feasible option when you have users around 20-40.

This is usually carried out with External Authentication server database like AD, RADIUS.

Not that I have any reason to doubt Cisco's support, but can anybody confirm this? It seems like doing this should be a fairly simple task, but it sure doesn't seem to be working out that way.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: