cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
271
Views
0
Helpful
2
Replies

Problems with ipsec remota access and external group policy

cpradoscarvajal
Level 1
Level 1

Hi,

I have an ASA that is using ACS as the radius authentication server.

My problem is with VPN remote access.

When i configure group-policy external and use this policy as the default policy for the tunnel-group (i download the VPN attributes from the ACS), the ASA shows an authentication error, telling that the the username or pasword is not valid.

On the other hand, when i use only the command "authentication-server-group", the VPN works fine.

Does any body know why the group-policy external command is not working? I can't find any example on cisco.com

2 Replies 2

a.alekseev
Level 7
Level 7

ASA shows an authentication error, telling that the the username or pasword is not valid.

And what did you get on ACS?

try to anable debugs

debug crypto ipsec

debug crypto isakmp

something related to vpn attributes...

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/ldapapp.html#wp1564407

Farrukh Haroon
VIP Alumni
VIP Alumni

You have to understand the difference between the 'group-policy' and the 'tunnel-group'. Whatever you define on ACS takes care of the group-policy part. The tunnel-group part still needs to be taken care of on the ASA itself. This is how the ASA differs from the VPN Concentrator in a way. The default authentication is using the local database. To use Radius, you need to use the authentication-server-group command. Have a look at this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: