Ivan,
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Ivan Hrvatska
> Sent: Wednesday, January 13, 2010 3:54 PM
>
> Hello,
>
> i have problem with mapping group policies to users defined in local
> database. It seems that users are still mapped to default policy which
> is defined under tunnel group:
>
> one group policy:
>
> group-policy POLICY1 attributes
> vpn-simultaneous-logins 7
> vpn-idle-timeout 60
> vpn-filter value FILTER1
> vpn-tunnel-protocol IPSec
> password-storage enable
> group-lock value GROUP1
Try disabling the group-lock value, I've not needed this section to accomplish what you're trying.
> address-pools value POOL1
>
> tunnel-group GROUP1 type remote-access
> tunnel-group GROUP1 general-attributes
> default-group-policy POLICY5 - can you avoid this, NOT to define
> default group policy??
>
> username USER1 password PASS encrypted
> username USER1 attributes
> vpn-group-policy POLICY1
> service-type remote-access
You can safely remove the service-type here as well. Do you have any access hours defined in the default group policy? I've found if you enable this for a bad time range, as to disable non-authorized users for LDAP authorization, you have to enable a valid time range for the negotiated group-policy.
>
> I don't get address from pool defined in group policy POLICY1, filter
> isn't applied....I get address from default policy. When I remove
> default policy from tunnel group, I cannot established VPN connection.
>
> The idea is to have one tunnel group, couple of group-policies and to
> map that policies to specific users.
>
> Thanks
>
>
Try adding this:
logging class vpn monitor debugging and enable term mon, post that information if you're still having issues.
Thanks,
-ryan
Blogs and organic groups at http://www.ccie.net
Received on Wed Jan 13 2010 - 21:24:30 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART