VPN拨号通过AD用户认证问题。

我用Cisco 2811配置了VPN Server, 并安装了CA和ACS, Cisco VPN Client用ACS中的用户可以拨号正常， 用域AD的用户无法拨号，查了几天资料，但还是不成功，请各位指教？

以下是我的Route 2811的配置，看一下是否有其它问题。
========================================

8 @5 l3 i! a. T3 tr2811#sh run
Building configuration...
! n$ p5 g* S# A( M) l
Current configuration : 4110 bytes
$ M, Q" ~' N7 C! p0 @+ q. |, g!
5 x& y' `) L0 h6 Y) Zversion 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
3 n& E/ k% c- N: Y2 Y( ]service password-encryption
!
hostname r2811
!
boot-start-marker
; s. v( W' q/ }  g5 jboot-end-marker
/ r7 P2 }  H* z7 O. D!
enable secret 5 $1$EIF
8 d4 v' y) u" z9 [3 o!
aaa new-model
!
!
& ?" d8 t, f0 ?8 z4 W( ~! V+ uaaa authentication login revpnuser group radius local
aaa authorization network revpngroup group radius local
!
!
# `+ T, h, s( Saaa session-id common
/ N4 h+ {9 S2 Kclock timezone GMT+8 8
9 O/ s) z" o* Z8 J% `% k: s, N!
!
+ A, ]2 v1 [- f8 l7 Qip cef
) l1 d- R1 Y/ Y! c5 @2 v!
; X7 L/ R% A- p+ ?! A  e!
5 F& i0 `, `& o9 ]. F: ?6 rip ssh time-out 30
ip ssh authentication-retries 2
6 z0 W9 U5 W, ]: \!
9 q) d  {  ?+ k7 b$ Wmultilink bundle-name authenticated
!
!
voice-card 0
) q0 o- `' X' a' Q! p no dspfarm

& A5 h3 w% L& a5 n( |$ V0 v!
username ciscovpn privilege 15 secret 5 $1$on7L$TPRqhLR
!
vlan internal allocation policy ascending
!
!
crypto isakmp policy 110
encr 3des
hash md5
( P! v) ^: {4 q. G authentication pre-share
group 2
crypto isakmp client configuration address-pool local addpool
0 [! U& |) u9 c4 n2 T!
* \. w) N& w4 @: [; {crypto isakmp client configuration group revpn
+ K" _) M" d$ n: u; |* T0 e key tsgacs
dns 10.3.140.15
domain tsets.com
" }6 {, x1 M# D  B$ t# u pool addpool
' F' Z0 o) U. F: K3 {5 R acl 110
0 Z  b7 z) S; j2 ~$ Y* V save-password
include-local-lan
- F% A( W: ?4 ` max-logins 5
4 Y( i+ t* x/ A  \# ?" a netmask 255.255.255.0
!
!
crypto ipsec transform-set trvpn esp-aes 256 esp-md5-hmac
!
crypto dynamic-map dymap 10
. b0 f, h# L! O2 t set transform-set trvpn
reverse-route
!
6 i3 e; S. t5 h# i# {. A2 c!
crypto map mamap client authentication list revpnuser
crypto map mamap isakmp authorization list revpngroup
crypto map mamap client configuration address initiate
$ h; k7 d# j+ E. Qcrypto map mamap client configuration address respond
crypto map mamap 99 ipsec-isakmp dynamic dymap
2 R0 T* V0 S' [$ Y- r6 ]8 a6 ]!
!
!
!
  S; ]% h8 T2 c!
* k7 E1 C( [# [6 u* Finterface FastEthernet0/0
6 Z, ^/ ^) R, } ip address ******* 255.255.255.248
no ip unreachables
duplex auto
speed auto
crypto map mamap
! _5 l1 L+ D, y) y$ s% p- @# s. ~!
/ @5 o4 ]  ?% B- H  }: v' s  P! ninterface FastEthernet0/1
3 d6 c8 h) Z8 L+ R+ g description $ETH-LAN$
+ C1 r; Y2 K" ]& C$ C ip address 10.3.150.7 255.255.255.0
4 j: {6 v5 g; ~( B% p0 I duplex auto
8 f) S& S8 k9 T speed auto
!
ip local pool addpool 10.3.150.10 10.3.150.100
* O* o- k6 ]! i) W$ Qip route 0.0.0.0 0.0.0.0 50.210.230.200
ip route 10.3.0.0 255.255.0.0 10.3.150.2
9 g4 c( U) Q9 U$ }9 A* D4 N!
!
ip http server
ip http authentication local
ip http secure-server
( i2 u. Q  `: w7 z7 W& K9 Hip dns server
6 \% y2 }: D. g% d# [) B. {!
access-list 110 permit ip 10.3.140.0 0.0.0.255 any
5 b1 `6 ?8 S8 h, u. uaccess-list 110 permit ip 10.3.150.0 0.0.0.255 any
!
!
!
+ @& S# N2 b& R. @0 _: y  z7 x! @!
+ T3 B  z9 o" {6 t!
radius-server host 10.3.140.22 auth-port 1645 acct-port 1646
* m, I& X2 E4 b! q! }+ W# Q7 f5 hradius-server key 7 08355F490
!
' j0 u( ?$ z1 I, v  icontrol-plane
2 ]! i. [; V  {3 }2 ^!
5 t6 A1 D) z1 H% z5 N8 E9 n& |!
* P! X$ t6 V" E; c4 c!
!
. K! k% [8 d9 A; \3 t!
1 N8 ~2 w4 w+ O7 A5 t!
!
# S9 q9 r" K+ j% u! q( V!
!
!
" c9 P# ?5 r- gline con 0
  j% y% T) p+ u; B" w; hline aux 0
line vty 0 4
password 7 094F460817020D1A0419567A7B7D
transport input telnet ssh
: L8 z  l/ Z: _6 ^5 r% A0 u+ Q!
no scheduler allocate
+ `. K2 t( t8 n" @ntp clock-period 17180182
ntp server 10.3.140.2
! e" q3 u- G2 r# o+ h!
end

r2811#

兄弟们都没有做过类似的案例么？

应该是ACS的问题。要做AD组的映射，还有要配置ACS去检测域账号。

学习了，谢谢分享、、、

有道理。。。感谢攻城狮论坛

沙发！沙发!

帮帮顶顶！！