10-30-2009 10:04 AM - edited 02-21-2020 04:22 PM
Hello all,
I have successfully setup my ASA 5510 to accept L2TP connections from the built in Windows XP/Vista VPN clients. What I am trying to get working now is to authenticate users along with their group names using the LOCAL database on the ASA. (Ex. username@tunnelgroup) My tunnelgroups are setup using pre-shared keys and so far I have had no luck in accomplishing this. When I do a debug on the connection is always defaults to the DefaultRAGroup even though I specify a group using the username@tunnelgroup format on the client.
Can what I am trying to do even be done and if so how? Any suggestions are more than welcomed!
11-17-2009 02:03 AM
hello
i'm fighting against the same probleme
did you resolve it ??
11-17-2009 06:37 AM
Unfortunately, I have not. I have went to relying more on the Cisco VPN Client and traditional IPSEC methods. I would love to find a solution though.
11-17-2009 07:07 AM
all right thanks !
11-26-2009 05:33 AM
all right
i found a way to bypass defaultragroup restriction for L2TP/IPSEC client less
i use AAA local user profil to manage NAC Acl with a specific @IP/user
and a windows script
to remove defaultgetaway mounted by the ASA so as to setup a split tunneling
and mount route to the correct vlan
So I can redirect my users in their vlan right to thier NETWORK acl
But every users use the same preshared key
regards
01-11-2010 01:40 PM
Because I was unable to find a solution to this problem I opened an official TAC request through Cisco and this is the answer I received:
L2TP over IPSEC connection will not fall on any defined tunnel-group unless there is an external auth-server. With LOCAL authentication it will always fall on DefaultRAGroup. Using Local authentication, you can create different VPN group-policies and can bind it with user-attributes. But its usually a feasible option when you have users around 20-40.
This is usually carried out with External Authentication server database like AD, RADIUS.
Not that I have any reason to doubt Cisco's support, but can anybody confirm this? It seems like doing this should be a fairly simple task, but it sure doesn't seem to be working out that way.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: