when you turn on the debug what tunnel and group-policy is authenticating the other user?
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Jerome Dolphin Sent: Saturday, December 04, 2010 3:59 AM To: OSL Security Subject: [OSL | CCIE_Security] Lab 17 Task 4.4 / ASA remote access VPN Hi again. Looks like I'm running into a lot of issues on this lab :) Task 4.4 asks that we only allow the user to be authorized against a group if they are assigned to the group. This must be restricted locally on ASA2. I've configured group-lock on the group-policy, but for some reason it's not working as expected because the user created in the previous task named remote-...@r5-ezvpn can login. Any idea what I'm missing? I think I've matched the solution guide answer... I could configure the Tunnel-Group-Lock radius attribute on the ACS, but I think that breaks the requirements of the task and it is not mentioned in the solutions? group-policy EZVPN_GP internal group-policy EZVPN_GP attributes banner value Welcome to IPexpert group-lock value EZVPN split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL01 default-domain value ipexpert.com user-authentication enable ASA2# show run tunnel-g tunnel-group EZVPN type remote-access tunnel-group EZVPN general-attributes address-pool EZVPN_POOL01 authentication-server-group RADIUS01 default-group-policy EZVPN_GP authorization-required tunnel-group EZVPN ipsec-attributes pre-shared-key * ASA2#
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
