I have a Cisco router with a fairly simple dialin VPDN setup with usernames set up in the router config itself (no external RADIUS server) so MS-Windows people can use the OS-built-in VPN client to connect up and access servers on my LAN.
Is there any way to restrict (via ACL or other) a connection when a specific username connects?
eg: If someone connects with username "thomas", I want to restrict their access to one specific server IP on my LAN
Can this be done?
The answer is simply NO. But there are alternative ways.
Cisco devices do not process ACLs on users. You have to purchase CS ACS and integrate with your device.
Another option is, installing RADIUS on winows server, manually setting IP address of user in Dial-in tab of user properties in Active Directory, then applying ACLs on this ip, or you can assign a name for this ip etc
Or you can create tunnel-group per user and assign IP pools that contains only 1 IP, name this IP and write ACLs, if you dont have too many users connecting via VPDN.