Hi Tyson, the ones we would expect. I think the ASA does not look at the post @ text in a username for group-lock validation?
----------------------------------------- ASA2# deb cry isa %ASA-6-302015: Built inbound UDP connection 13 for outside:192.1.49.100/1156( 192.1.49.100/1156) to identity:192.168.5.5/500 (192.168.5.5/500) %ASA-7-713236: IP = 192.1.49.100, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849 <omitted> %ASA-7-713906: IP = 192.1.49.100, Connection landed on tunnel_group EZVPN <omitted> %ASA-7-715047: Group = EZVPN, IP = 192.1.49.100, processing IKE SA payload <omitted> %ASA-7-715001: Group = EZVPN, IP = 192.1.49.100, Processing MODE_CFG Reply attributes. %ASA-6-113004: AAA user authentication Successful : server = 192.1.12.100 : user = remote-...@r5-ezvpn %ASA-6-113009: AAA retrieved default group policy (EZVPN_GP) for user = remote-...@r5-ezvpn %ASA-6-113008: AAA transaction status ACCEPT : user = remote-...@r5-ezvpn ----------------------------------------- On Sun, Dec 5, 2010 at 6:09 AM, Tyson Scott <[email protected]> wrote: > when you turn on the debug what tunnel and group-policy is authenticating > the other user? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jerome Dolphin > *Sent:* Saturday, December 04, 2010 3:59 AM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] Lab 17 Task 4.4 / ASA remote access VPN > > > > Hi again. > > Looks like I'm running into a lot of issues on this lab :) > > Task 4.4 asks that we only allow the user to be authorized against a group > if they are assigned to the group. This must be restricted locally on ASA2. > > I've configured group-lock on the group-policy, but for some reason it's > not working as expected because the user created in the previous task named > remote-...@r5-ezvpn can login. Any idea what I'm missing? I think I've > matched the solution guide answer... > > I could configure the Tunnel-Group-Lock radius attribute on the ACS, but I > think that breaks the requirements of the task and it is not mentioned in > the solutions? > > group-policy EZVPN_GP internal > group-policy EZVPN_GP attributes > banner value Welcome to IPexpert > group-lock value EZVPN > split-tunnel-policy tunnelspecified > split-tunnel-network-list value SPLIT_TUNNEL01 > default-domain value ipexpert.com > user-authentication enable > > ASA2# show run tunnel-g > tunnel-group EZVPN type remote-access > tunnel-group EZVPN general-attributes > address-pool EZVPN_POOL01 > authentication-server-group RADIUS01 > default-group-policy EZVPN_GP > authorization-required > tunnel-group EZVPN ipsec-attributes > pre-shared-key * > ASA2# > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
