Hi Kings, the the usename remote-...@ezvpn is defined on the ACS and the radius attribute Tunnel-Group-Lock is *not* set.
Perhaps I am misinterpreting question 4.4 requirements. remote-...@ezvpn can log into group EZVPN (hosted on ASA) remote-...@r5-ezvpn can log into group EZVPN (hosted on ASA) remote-...@ezvpn cannot log into group R5-EZVPN (hosted on IOS) remote-...@r5-ezvpn can log into group R5-EZVPN (hosted on IOS) The IOS group-lock feature looks at the text after the @ symbol and compares this to the group name - this is working in my lab. I *think* the answer to question 4.4 implies that the ASA behaves the same way as IOS by looking at the text after the @ symbol for group-lock, but ASA behaviour in my lab shows this is not the case. It seems like ASA will look at the tunnel-group-lock radius attribute for remote users or the group-lock local attribute for ASA local users, but it does not look at @GROUP_NAME. Jerome On Sun, Dec 5, 2010 at 12:31 AM, Kingsley Charles < [email protected]> wrote: > With group-lock, the user or group-policy should use only the tunnel on > which the request lands on. > > Is the remote-vpn user configured for group-lock of ezvpn? > > With regards > Kings > > On Sat, Dec 4, 2010 at 6:06 PM, Jerome Dolphin <[email protected]>wrote: > >> BTW, the question wants login to fail for remote-...@r5-ezvpn, but in my >> setup remote-...@r5-ezvpn can sucessfully authenticate to the group EZVPN >> on ASA2. >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
