I have a 2611 router, IOS version 12.3(25), configured as an VPN server. I have already configured the IP Sec parameters, users...and it is all working fine. But my customer needs to limit the access of one user that uses the same group and interface of the others. Is it possible to set up an AAA profile that matches some ACL to permit access to a few IP addresses, without a authentication server? I was thinking a method to set up an ACL and implement it on the interface, but this will affect the traffic of the other users, since their external access addresses are dynamic (one time they are at home, other time they are on the remote office and so on). Any ideas? Thanks in advance.