VPN Access - Limiting user access rights

Unanswered Question
Feb 15th, 2008

Hi there.

I have a 2611 router, IOS version 12.3(25), configured as an VPN server. I have already configured the IP Sec parameters, users...and it is all working fine. But my customer needs to limit the access of one user that uses the same group and interface of the others. Is it possible to set up an AAA profile that matches some ACL to permit access to a few IP addresses? I was thinking a method to set up an ACL and implement it on the interface, but this will affect the traffic of the other users, since their external access addresses are dynamic (one time they are at home, other time they are on the remote office and so on). Note: we do not have an authentication server. Any ideas? Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Brandon Buffin Fri, 02/15/2008 - 06:19

One option would be to create a seperate group for this user and limit access based on a network list.

Hope this helps. If so, please rate the post.


fred.mancen Fri, 02/15/2008 - 07:08

Hi Brandon, actually I did it already. But another problem has raised: I have just one interface with a valid public IP address. When I map the group on the interface, the other group is removed by default. I was thinking about to create sub-interfaces, but in this case I have to assign a second IP address on the sub-interface. Do this solution will work? By the way, thanks a lot for your help.


jamesfang98 Fri, 02/15/2008 - 13:04

Separate VPN group associated with different ACL should work for you as Brandon pointed out.

I guess you may be confused with crypto map group setup. Remember, you can assign different crypto map group number for different VPN group.

fred.mancen Mon, 02/18/2008 - 04:44

Hi James.

Yes, I know that I can assign different crypto map group for different VPN groups; the problem that I am facing is that the customer router have only one physical interface available, with just one valid public IP address available also. So, when I assign one group to the interface, the other user group is removed because I can have just one crypto map group assigned to the interface. Both groups works well, but with this inconvenience. The major problem is that my customer does not have a server which I can customize to run RADIUS authentication; so I cannot work with authentication profiles. I don't know if I could explain well, but this is the problem...

All the documentation that I found is focused on the same basic solution: RADIUS servers working as an authenticator and authorizing the user access based on network profiles.

Thanks a lot for your help.

jamesfang98 Wed, 02/27/2008 - 11:45

are you build up a site2sit2 vpn tunnel or dynamic vpn tunnel for customer? how can you identify that specific user?

the requirement: "to limit access based on user profile but not ip" can be achieved by cisco vpnclient + different vpngroup setup in vpn server site


This Discussion