07-06-2008 08:33 PM - edited 03-11-2019 06:10 AM
Hi,
I have an ASA that is using ACS as the radius authentication server.
My problem is with VPN remote access.
When i configure group-policy external and use this policy as the default policy for the tunnel-group (i download the VPN attributes from the ACS), the ASA shows an authentication error, telling that the the username or pasword is not valid.
On the other hand, when i use only the command "authentication-server-group", the VPN works fine.
Does any body know why the group-policy external command is not working? I can't find any example on cisco.com
07-07-2008 01:41 AM
ASA shows an authentication error, telling that the the username or pasword is not valid.
And what did you get on ACS?
try to anable debugs
debug crypto ipsec
debug crypto isakmp
something related to vpn attributes...
07-07-2008 05:43 AM
You have to understand the difference between the 'group-policy' and the 'tunnel-group'. Whatever you define on ACS takes care of the group-policy part. The tunnel-group part still needs to be taken care of on the ASA itself. This is how the ASA differs from the VPN Concentrator in a way. The default authentication is using the local database. To use Radius, you need to use the authentication-server-group command. Have a look at this link:
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: