User user@mydomain.local failed to login to VPN through AD authentication mechanism because of access not allowed

Hello, 

I dealing with this problem while trying to use external authentication via AD to manage ipsec user connections, i have created a group ou my AD for the users i want to permit access, on the fw on remote access i have give permission to this group after importing from AD.

I have other firewalls without any issue, but i can not understand what is wrong with this setup.

I would appreciate any help.

I got this message in the logs when trying to authenticate to IPEC VPN.

User user@mydomain.local failed to login to VPN through AD authentication mechanism because of access not allowed.

The AD connection tested ok, i could import the groups. i have a user that is included on the security group that i want to give vpn access.

this is the server_acesss.log portion.

SUCCESS Apr 20 18:10:42.472257Z [access_server]: (check_auth_result): user 'user@mydomain.local'(backend) Authenticated with server id '3'
ERROR Apr 20 18:10:42.479172Z [access_server]: handle_pam_authorization: VPN/SSLVPN/MYACC Authorization Failed, result_code=1

when on debug i can see on the logs that the groups for the user are correctly enumerated.

Local authentication works with any issue.

Kind Regards,

CR