Kingsley, I did have the default-group-policy defined under the tunnel-group configuration. The config
group-policy EZVPN external server-group RADIUS password cisco tunnel-group EZVPN type remote-access tunnel-group EZVPN general-attributes default-group-policy EZVPN On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles < [email protected]> wrote: > When you don't have the "default-group-policy" configured under the tunnel > general sub-mode, then ASA will not know which group policy to apply. In > that case, you should add Radius AV 25 to the Xauth user account on ACS and > that should be the external group policy name that you have configured on > the ASA. > > > With regards > Kings > > On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza <[email protected]>wrote: > >> Hello all, >> >> I have my ASA setup as an EZVPN server, with an externally configured >> group-policy on the RADIUS server, like so: >> >> group-policy EZVPN external server-group RADIUS password >> cisco >> >> My group setup has the following: >> >> Group renamed to "EZVPN" >> >> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes >> [3076\011] Tunneling-Protocol = >> WebVPN & IPSec >> [3076\072] IPSec-Split-Tunnel-List = >> SPLIT-TUNNEL <- >> SPLIT-TUNNEL ACL configured on the ASA >> [3076\055] IPSec-Split-Tunneling-Policy = Only >> tunnel networks in the list >> [3076\217] Address-Pools = >> EZVPN <- >> EZVPN address pool configured on the ASA >> >> I have a user setup (for pulling down Radius Attributes) as follows: >> User Name: EZVPN (same name as the Group) >> Password: cisco >> >> And finally my XAUTH User Setup >> User Name: ezvpnuser >> Password: cisco >> >> setup config for test 1 - under Cisco IOS/PIX 6.x RADIUS >> Attributes >> [009\001] >> cisco-av-pair >> * >> ipsec:user-vpn-group=EZVPN* >> >> >> setup config for test 2 - under IETF RADIUS Attributes >> [025] Class >> * >> OU=EZVPN;* >> >> My question is related to the setup config I mentioned in the last section >> for test 1 and test 2. When I use either config for the XAUTH user I am >> still able to successfully establish a VPN connection to the ASA EZVPN >> server. The user is assigned the attributes as defined in the group setup >> and encrypts traffic only to the split-tunnel networks. >> >> Why and when would I have to use the "[025] Class" config under the IETF >> RADIUS Attributes for the user ? >> >> Mark >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
