Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

L2TP/IPSEC with Group Authentication

Hello all,

I have successfully setup my ASA 5510 to accept L2TP connections from the built in Windows XP/Vista VPN clients. What I am trying to get working now is to authenticate users along with their group names using the LOCAL database on the ASA. (Ex. username@tunnelgroup) My tunnelgroups are setup using pre-shared keys and so far I have had no luck in accomplishing this. When I do a debug on the connection is always defaults to the DefaultRAGroup even though I specify a group using the username@tunnelgroup format on the client.

Can what I am trying to do even be done and if so how? Any suggestions are more than welcomed!

Community Member

Re: L2TP/IPSEC with Group Authentication


i'm fighting against the same probleme

did you resolve it ??

Community Member

Re: L2TP/IPSEC with Group Authentication

Unfortunately, I have not. I have went to relying more on the Cisco VPN Client and traditional IPSEC methods. I would love to find a solution though.

Community Member

Re: L2TP/IPSEC with Group Authentication

all right thanks !

Community Member

Re: L2TP/IPSEC with Group Authentication

all right

i found a way to bypass defaultragroup restriction for L2TP/IPSEC client less

i use AAA local user profil to manage NAC Acl with a specific @IP/user

and a windows script

     to remove defaultgetaway mounted by the ASA so as to setup a split tunneling

     and mount route to the correct vlan

So I can redirect my users in their vlan right to thier NETWORK acl

But every users use the same preshared key


Community Member

Re: L2TP/IPSEC with Group Authentication

Because I was unable to find a solution to this problem I opened an official TAC request through Cisco and this is the answer I received:

L2TP over IPSEC connection will not fall on any defined tunnel-group unless there is an external auth-server. With LOCAL authentication it will always fall on DefaultRAGroup. Using Local authentication, you can create different VPN group-policies and can bind it with user-attributes. But its usually a feasible option when you have users around 20-40.

This is usually carried out with External Authentication server database like AD, RADIUS.

Not that I have any reason to doubt Cisco's support, but can anybody confirm this? It seems like doing this should be a fairly simple task, but it sure doesn't seem to be working out that way.


CreatePlease to create content