WebVPN - ASA 7.2 - Tunnel Group - Two authentication method

obacati21 · ‎02-22-2007

Hi,

I'am using ASA5520 for WebVPn and AAA authentication. AAA Authentication is set on default tunnel group. I have created a new tunnel group with local authentication.

at user level, I check "tunnel group lock" and choose the new tunnel group.

When i try to connect, local password is denied but AAA password is OK.

Has somebody already done this kind of conf ? Is it possible to do this ?

I didn't see in Cisco documentation taht it is not possible ....

Thanks

Olivier

mchin345 · ‎02-28-2007

I think its possible to authenticate with the local username and passowrd, but it depend on the tunnel group name and preshared key used in the WEB VPN Client.

obacati21 · ‎03-05-2007

I succeeded to authenticate users with local database OR Radius database. But I need to authenticate some user with local authentication and others with Radius authentication in Webvpnmode.

I created two tunnel group policies and performed group lock at user?s definition but it did not work. I was always be challenged by the default policy ?.

OB1

kaachary · ‎03-05-2007

Hi,

For Group Lock to work, you need an external Radius server.

The Radius "Class" attribute 25, should have a field as "OU = groupname ".

This is how Group Lock is supposed to work. It doesnt work with Local AAA Authentication.

It will always default to Default Group Policy.

*Please rate if helped.

-Kanishka