If you have it configured properly, on the Dial In tab under the users properties, check Allow or Deny access. If all else is set up properly you will receive the following in your System logs in event viewer for the deny access permission....
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
ok, i just finished this problem up today, when you use the "protocol nt" command in the aaa-server i believe it just querys the directory. I always got had the same problem. I also found an article that says nt performs only authentication, not authorization. That is why it cannot read windows groups. Set the aaa-server protocol to radius and then it will be able to read windows group specified in the IAS policy. This is the ONLY WAY to do this since it provides both authentication and authorization. Otherwise you can use a kerberos/ldap combo to work, but i thought the config was tough.
i will post my configs in the morning tomorrow if you need them
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...