IPSEC VPN auth fails if RADIUS server not first in list
Base group IPSEC tab has authentication set to "Internal." RemoteAccess group IPSEC tab has authentication set to "RADIUS with Expiry." WebVPN group IPSEC tab has authentication set to "Internal."
Configuration/System/Servers/Authentication has two entries: RADIUS server first, internal second. I need internal to be first because I have my WebVPN users configured on the internal database. However, if RADIUS server is not first, RemoteAccess group users fail to authenticate.
I tried configuring the RADIUS server on the Authentication servers button for the RemoteAccess group in Configuration/User Management/Groups, but get the same result.
Basically, my question is: how can I authenticate IPSEC remote access VPN users with RADIUS and WebVPN users with internal database?
Re: IPSEC VPN auth fails if RADIUS server not first in list
I don't think the behavior you have described is correct, "However, if RADIUS server is not first, RemoteAccess group users fail to authenticate. ". If all configurations are correct the remote users should land in the RemoteAccess which has authentication set to Radius. Whatever is set in the global default parameters (internal db) should not affect it.
However the converse is not true for webvpn, for webvpn the default method has to be correct and topmost, as mentioned here:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...