Shouldn`t you add the command "authentication-server-group SERVER" under your tunnel-group configuration? I think without it, you'll be authenticated locally as per default ASA config
On Tue, Jan 4, 2011 at 12:15 PM, Elliot Tyson Zvoushe <[email protected]>wrote: > I'm having issues with configuring AnyConnect with SSL authenticating with > Radius ACS. What i'm trying to do it the following. > > Configured AnyConnect on the ASA and i have more than 20 groups and i have > used group lock to lock group but in each group i have like more than 20 > users. > So what i need now is i want the users to be authenticated by the ACS into > their relevant groups. > > find my config for the AnyConnect > > webvpn > svc ask enable > group-policy Sales internal > group-policy Sales attributes > group-lock value Sales > > > ip local pool SSLPOOL 10.236.0.48-10.236.0.63 mask 255.255.255.240 > > > same-security-traffic permit intra-interface > > webvpn > enable mgmnt > svc image disk0:/anyconnect-win-2.3.0254-k9.pkg > svc enable > > tunnel-group-list enable > group-policy clientgroup internal > group-policy clientgroup attributes > group-lock value sslgroup > vpn-tunnel-protocol svc > > split-tunnel-policy tunnelall > webvpn > svc keep-installer installed > > svc rekey time 30 > > svc rekey method ssl > > svc ask none default svc > > username ssluser password password > > tunnel-group sslgroup type remote-access > > tunnel-group sslgroup general-attributes > address-pool SSLPOOL > > default-group-policy clientgroup > > tunnel-group sslgroup webvpn-attributes > group-alias sslgroup_users enable > > > > > webvpn > enable mgmnt > svc image disk0:/anyconnect-win-2.3.0254-k9.pkg > svc enable > > tunnel-group-list enable > group-policy Sales internal > group-policy Sales attributes > username sale password password > username sale attributes > group-lock value Sales > vpn-tunnel-protocol svc > > split-tunnel-policy tunnelall > webvpn > svc keep-installer installed > > svc rekey time 30 > > svc rekey method ssl > > svc ask none default svc > > > > tunnel-group sale type remote-access > > tunnel-group Sales general-attributes > address-pool SSLPOOL > > default-group-policy Sales > > tunnel-group Sales webvpn-attributes > group-alias Sales enable > > > > > > webvpn > enable mgmnt > svc image disk0:/anyconnect-win-2.3.0254-k9.pkg > svc enable > > tunnel-group-list enable > group-policy MTNSA internal > group-policy MTNSA attributes > username mtn password password > username mtn attributes > group-lock value MTNSA > vpn-tunnel-protocol svc > > tunnel-group-list enable > group-policy MTNSA internal > group-policy MTNSA attributes > username mtn1 password password > username mtn1 attributes > group-lock value MTNSA > vpn-tunnel-protocol svc > > > split-tunnel-policy tunnelall > webvpn > svc keep-installer installed > > svc rekey time 30 > > svc rekey method ssl > > svc ask none default svc > > > > tunnel-group MTNSA type remote-access > > tunnel-group MTNSA general-attributes > address-pool SSLPOOL > > default-group-policy MTNSA > > tunnel-group MTNSA webvpn-attributes > group-alias MTNSA enable > > > > > tunnel-group-list enable > group-policy CCIE internal > group-policy CCIE attributes > username ccie password password > username ccie attributes > group-lock value CCIE > vpn-tunnel-protocol svc > > > Thanks > Elliot > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
