Deny Anyconnect Client Access for a group which is using AAA auth.

Unanswered Question
Dec 18th, 2009


following situation:

ASA 5520 running 8.0(4)28.

Serving multiple VPN groups using either Anyconnect or VPN-Client.

One of the Customers using group XXX does not want that his group is able to be etablished using anyconnect.

User auth is done by an external AAA.

Config if group-p:

group-policy XXX attributes


vpn-tunnel-protocol IPSec


Any Ideas?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 12/21/2009 - 11:01

Hi Peter,

The vpn tunnel protocol will help you with this as long as the users do not change of group to connect, if what you need is also to control users within this group, you need to use tunnel group lock which will deny users from getting connected if they do not connect to the correct tunnel group.

See step 11 on the following link:

You will need to pass the class attribute from your Auth server.


This Discussion