When a user belongs to more than 10 member groups in Active Directory, VIP Enterprise Gateway will only send the first 10 values to the VPN Gateway. This causes the VPN gateway (i.e., Cisco ASA) to reject the user.
By default, the number of responses for getting an attribute value is set to 10.
Edit the radserv.conf file located in the folder <VIPEG Install folder>\Validation\servers\<Validation server name>\conf.
Change the value of server.max_attribute_in_response= to match or exceed the number of groups that users are a part of.
Restart the validation server.
The validation response should now show more than 10.
Imported Document ID: SO19761
Subscribing will provide email updates when this Article is updated. Login is required.