Hi,

I am tring to set up SSL VPN to replace a current ASA solution in my company and I am encountering two issues:

1) I need to be able to give my VPN users different access rights (different subnets or servers), my users are all in the same subnet range SSL_VPN_ADDRESS, I will use only Tunneling mode without split tunnel (no web portal).

I set up my users (for test, two users localuser1 and localuser2 and 3 local groups: SSL_VPN_USERS DENAY_INTERNET and DENAY_LOCAL.

I make user1 and members of SSL_VPN_USERS and respectivly one of Denay Internet the other Denay local.

I make basic policy ssl.root -> Local and ssl.root->Internet to grant SSL_VPN_USERS access, I also create two policies (higer in the hirarchy) for Denay Internet and Denay local. I succesfully log on with user 1 and 2 but no restriction is applied, the only policy that is applied is the one that contains SSL_VPN_USERS. If I add this group to my "test denay policy" than it block it (but all users...).

Do I do something wong ? Or this is by design ? oit would not practical .. to say the most ...

2) I am planning to use radius and remote groups, so I test with radius ... All fine users can be authenticated by means of radius but .. when I try to use remote group ... problem .. If I define a policy that contain ssl.root as source interface than I CAN NOT add as source address my RSSO groups, I simply can not see them ... with other interfaces it is possible but of no use ...

Why ? How can I use remote groups ? Since I sucessfully configured the radous to pass by the right value (checked in debug).

Any help is appriciated as well as pointing out any KB cookcbook I may have misslooked...

P.S.

I can post the configuration if it can help...

Best Regards

Alessandro