I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.

I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.

This is what the config looks like

Building configuration...

Current configuration : 24735 bytes

!

! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname N****

!

aaa new-model

!

!

aaa group server radius IAS_AUTH

server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****

!

aaa group server radius Global ***made for testing. Redundant

server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

!

clock timezone Arizona -7

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

!

password encryption aes

!

crypto pki trustpoint TP-self-signed-2464190257

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2464190257

revocation-check none

rsakeypair TP-self-signed-2464190257

!

!

crypto pki certificate chain TP-self-signed-2464190257

certificate self-signed 01

***

REMOVED

****

!

!

!

!

!

interface GigabitEthernet0/0

****

INTERFACES REMOVED

****

ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip flow-cache timeout inactive 10

ip flow-cache timeout active 5

ip flow-export source GigabitEthernet0/0

ip flow-export version 5 peer-as

ip flow-export destination 10.12.1.17 2048

!

***

ROUTES REMOVED

***

ACLS REMOVED SSL IS ALLOWED

***

!

!

route-map STAT_NAT permit 10

match ip address 109

!

route-map DYN_NAT permit 10

match ip address 108

!

snmp-server community $DCI$ RO

!

!

!

control-plane

!

banner login ^C

!

line con 0

password 7 01100F175804

login authentication local

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

!

webvpn gateway gateway_1

ip address **outside ip*** port 443

http-redirect port 80

ssl trustpoint TP-self-signed-2464190257

no inservice

!

webvpn context webvpn

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

port-forward "portforward_list_1"

   local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"

!

policy group policy_1

   port-forward "portforward_list_1"

default-group-policy policy_1

aaa authentication list SSL_Global

aaa authentication domain @n****

gateway gateway_1 domain N****

max-users 10

no inservice

!

end

Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?