ASA VPN client locking

Unanswered Question
Feb 20th, 2009
User Badges:
  • Bronze, 100 points or more

I am running an ASA with multiple VPN Client groups, all authenticating against the same AAA server. Is there a way of preventing a user connecting on an individual group if the know the PSK.

What I want to be able to do is publish the PCF files internally, but prevent unauthorised access.. i.e. only users in the Finance AAA group can connect to the Finance VPN, but everyone can connect to the Users VPN group.

I want to keep as much configuration on the ASA as possibly, with just authentication on the AAA, as we may change AAA server in the future.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Syed Iftekhar Ahmed Fri, 02/20/2009 - 13:02
User Badges:
  • Blue, 1500 points or more

First you will have to create multiple group-policies on ASA for different type of users.

Then you will have to configure the 25 radius attributes on ACS with the name of

the group-policy you want to have the user linked to.

After Successful authentication, ACS will include the attrib 25 (group-policy) in response. ASA will assign user the thr group policy it received from ACS.

After Authentication ACS will response back with Group-policy name and ASA will use that group-policy for the user.


Syed Iftekhar Ahmed

eelsenbach Mon, 02/23/2009 - 08:52
User Badges:

I've recently just done this.

Syed has the acs part down.

Heres a sample config part for ASA.

group-policy VPNC_TEST_GP attributes

group-lock value TEST_VPN_GROUP

default-domain value MYDOMAIN.COM

tunnel-group TEST_VPN_GROUP type remote-access

tunnel-group TEST_VPN_GROUP general-attributes

address-pool TEST_POOL

authentication-server-group RAD_VPN_GRP LOCAL

accounting-server-group RAD_VPN_GRP

default-group-policy VPNC_TEST_GP

tunnel-group TEST_VPN_GROUP ipsec-attributes

pre-shared-key *


On ACS, Group setting Radius IETF ATTR 25




This Discussion