Cannot filter by user in MUVPN IKEv2 policy using RADIUS

I've setup a Mobile User VPN using IKEv2 config on a Firebox M270 running 12.6.2.B631387. I've configured RADIUS authentication on the Firebox, and added the NPS policies as outlined in WG KB on our Windows 2012 R2 server.
Everything works fine, all users can connect to resources using the default Allow IKEv2-Users policy.

However if I try to create a new policy with a specific user ( part of the IKEv2-Users group) in the “From” tab the policy does not seem to have any effect. It seems as if the Firebox does not filter by RADIUS user, only by group.

I’ve checked that the IKEv2-Users authentication configuration and the AD “IKEv2-Users” group includes this user. If I create a new policy which has the default IKEv2-Users group in the “From” tab, the policy works fine. It seems it doesn’t work when a specific user within that group is specified.

I’ve checked the traffic logs and I can see the user ( abc@RADIUS) in the “src_user” tag correctly when the default “AllowIKEv2-Users” policy is in effect.
Any idea what I'm doing wrong, any help is much appreciated?

Sign In to comment.