Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Problems with ipsec remota access and external group policy

Hi,

I have an ASA that is using ACS as the radius authentication server.

My problem is with VPN remote access.

When i configure group-policy external and use this policy as the default policy for the tunnel-group (i download the VPN attributes from the ACS), the ASA shows an authentication error, telling that the the username or pasword is not valid.

On the other hand, when i use only the command "authentication-server-group", the VPN works fine.

Does any body know why the group-policy external command is not working? I can't find any example on cisco.com

2 REPLIES

Re: Problems with ipsec remota access and external group policy

ASA shows an authentication error, telling that the the username or pasword is not valid.

And what did you get on ACS?

try to anable debugs

debug crypto ipsec

debug crypto isakmp

something related to vpn attributes...

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/ldapapp.html#wp1564407

Re: Problems with ipsec remota access and external group policy

You have to understand the difference between the 'group-policy' and the 'tunnel-group'. Whatever you define on ACS takes care of the group-policy part. The tunnel-group part still needs to be taken care of on the ASA itself. This is how the ASA differs from the VPN Concentrator in a way. The default authentication is using the local database. To use Radius, you need to use the authentication-server-group command. Have a look at this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

Regards

Farrukh

155
Views
0
Helpful
2
Replies
CreatePlease to create content