Hi guys,

I am trying to configure my ASA 5520 to allow internal staff to work from remote via VPN. I need them to authenticate via Radius to MYCOMPANY-DC1 and allow them to access only if they are part of the Windows group VPNusers.

Using the VPN wizard I've created the (purged) configuration below. Now when I try to connect, the debug returns the following error.

Dec 12 02:57:28 [IKEv1]: Group = DefaultRAGroup, IP = 120.156.45.246, Session is being torn down. Reason: L2TP initiated

I haven't found where to define the name of the Windows gouup the users have to be part of in order to have the access granted and I guess that this missing configuration is the cause of the problem. Can you please tell me where is the error on my config and where I do have to add the missing configuration?

object-group network DM_INLINE_NETWORK_5

network-object LAN-network 255.255.0.0

access-list INTERNAL_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5 172.16.4.0 255.255.255.128

aaa-server windows_DC protocol radius

aaa-server windows_DC (INTERNAL) host MYCOMPANY-DC1

timeout 5

key *****

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 172.16.0.4 8.8.8.8

dns-server value 172.16.0.4 8.8.8.8

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

default-domain value mycompanycorp.com.au

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_Cisco_Pool

authentication-server-group windows_DC

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

On the Windows Server side, I have the following event:

User myuser was denied access.

Fully-Qualified-User-Name = myuser

NAS-IP-Address = 172.16.1.1

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = ASA5520

Client-IP-Address = 172.16.1.1

NAS-Port-Type = Virtual

NAS-Port = 94208

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = MS-CHAPv2

EAP-Type = <undetermined>

Reason-Code = 48

Reason = The connection attempt did not match any remote access policy.

Thanks,

Dario Vanin