Hi Brandon, actually I did it already. But another problem has raised: I have just one interface with a valid public IP address. When I map the group on the interface, the other group is removed by default. I was thinking about to create sub-interfaces, but in this case I have to assign a second IP address on the sub-interface. Do this solution will work? By the way, thanks a lot for your help.

Regards.

Separate VPN group associated with different ACL should work for you as Brandon pointed out.

I guess you may be confused with crypto map group setup. Remember, you can assign different crypto map group number for different VPN group.

Hi James.

Yes, I know that I can assign different crypto map group for different VPN groups; the problem that I am facing is that the customer router have only one physical interface available, with just one valid public IP address available also. So, when I assign one group to the interface, the other user group is removed because I can have just one crypto map group assigned to the interface. Both groups works well, but with this inconvenience. The major problem is that my customer does not have a server which I can customize to run RADIUS authentication; so I cannot work with authentication profiles. I don't know if I could explain well, but this is the problem...

All the documentation that I found is focused on the same basic solution: RADIUS servers working as an authenticator and authorizing the user access based on network profiles.

Thanks a lot for your help.

are you build up a site2sit2 vpn tunnel or dynamic vpn tunnel for customer? how can you identify that specific user?

the requirement: "to limit access based on user profile but not ip" can be achieved by cisco vpnclient + different vpngroup setup in vpn server site