We have an Enterprise CA set up in our organisation and a Cisco 5550 ASA that is going to be used for VPN users. The ASA has the CA certificate installed, an indentity certificate issued by the CA and is retrieving the CRL from the CA. The ASA authenticates against a Cisco ACS server via IETF Radius.

We have two seperate groups of SSL VPN users. When they apply for a user certifcate from our CA we ask them to fill out the OU/Dpeartment  field in their certifcate as either SSL_Support_Group or SSL_Test_Group

In the ACS server we have two seperate groups for these users. SSL_Support_Group and SSL_Test_Group. Both groups have the IETF [025] attribute ticked and both have the OU attribute set to the same as the OU specificied in the certificate (ie OU=SSL_Support_Group;).

In the ASA we have seperate SSL VPN Connection Profiles for both groups.

What we want to achieve is this. If a user logs into SSL VPN using a certificate that has the OU set to SSL_Support_Group but is in SSL_Test_Group in the ACS, then their login should be rejected. And vice versa.

At the moment if a user logs in with OU=SSL_Support_Group in their certifcate but OU=SSL_Test_Support in the ACS, then they are allowed to login but their policy is changed to SSL_Test_Group.

Is there a way to achieve what we are trying to do and if so how can we configure this?