group-lock for vpn users with acs

Answered Question
Feb 11th, 2009
User Badges:


Is there any way to controll what VPN profile a user is allowed to use through Cisco ACS, or the router?

Using 2811 router IOS ver 12.4, ACS 4.1

I just want to be sure that the VPN user can only use the Client Profile assigned to them and no other Group Profiles.


User123abc gets their hands on a co-wokers profile.



User123abc belongs to HR department and should only be able to authenticate with HR_User_Profile. If User123abc tries to authenticate using the SALES_User_Profile access should be denied.

Any documentation explaining how to set this up?

Correct Answer by Ivan Martinon about 8 years 4 months ago

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Ivan Martinon Thu, 02/12/2009 - 09:25
User Badges:
  • Cisco Employee,

Unfortunately the only kind of group lock that routers support is with local authentication. Having an ACS will not be a viable solution since the router will not understand the class attribute sent back from the ACS (if any). You will find out that the router has the option of group-lock but this will only work when the user is stored on the router DB.

fredj1234 Thu, 02/12/2009 - 10:06
User Badges:

Thank you for your reply.

Is it possible to acheive this with a Cisco ASA5510 or does this device have the same limitation as the router?

Are there any other scalable Cisco solutions for this?

(just guessing like changing to a PKI authentication or something else??)

I also found this doc, but do not plan to use VPN concentrator because its EOL.


Correct Answer
Ivan Martinon Thu, 02/12/2009 - 10:09
User Badges:
  • Cisco Employee,

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

ansalaza Fri, 02/13/2009 - 09:21
User Badges:
  • Cisco Employee,

Have you tried sending this "ipsec:user-vpn-group=XXXXXX" in cisco-av-pair?

This command was introduced. 12.2(13)T

If RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.



The User-VPN-Group attribute is a replacement for the Group-Lock attribute...

If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated.




This Discussion