When you don't have the "default-group-policy" configured under the tunnel general sub-mode, then ASA will not know which group policy to apply. In that case, you should add Radius AV 25 to the Xauth user account on ACS and that should be the external group policy name that you have configured on the ASA.
With regards Kings On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza <[email protected]>wrote: > Hello all, > > I have my ASA setup as an EZVPN server, with an externally configured > group-policy on the RADIUS server, like so: > > group-policy EZVPN external server-group RADIUS password > cisco > > My group setup has the following: > > Group renamed to "EZVPN" > > Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes > [3076\011] Tunneling-Protocol = WebVPN > & IPSec > [3076\072] IPSec-Split-Tunnel-List = > SPLIT-TUNNEL <- > SPLIT-TUNNEL ACL configured on the ASA > [3076\055] IPSec-Split-Tunneling-Policy = Only > tunnel networks in the list > [3076\217] Address-Pools = > EZVPN <- > EZVPN address pool configured on the ASA > > I have a user setup (for pulling down Radius Attributes) as follows: > User Name: EZVPN (same name as the Group) > Password: cisco > > And finally my XAUTH User Setup > User Name: ezvpnuser > Password: cisco > > setup config for test 1 - under Cisco IOS/PIX 6.x RADIUS > Attributes > [009\001] > cisco-av-pair > * > ipsec:user-vpn-group=EZVPN* > > > setup config for test 2 - under IETF RADIUS Attributes > [025] Class > * > OU=EZVPN;* > > My question is related to the setup config I mentioned in the last section > for test 1 and test 2. When I use either config for the XAUTH user I am > still able to successfully establish a VPN connection to the ASA EZVPN > server. The user is assigned the attributes as defined in the group setup > and encrypts traffic only to the split-tunnel networks. > > Why and when would I have to use the "[025] Class" config under the IETF > RADIUS Attributes for the user ? > > Mark > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
