VPN groups

Unanswered Question
Aug 10th, 2010

I am running asa804-k8.bin on ASA 5520.

License is: VPN Plus

We use VPN with cisco VPN-client.

for user authentication i am using tacacs server.

for example:

vpn 1:

ASA:

VPN Group                       :Group_A

PSK                                 :Very_Secret_A

Authentication server group: Group_A

                              Server: Tacacs

Tacacs:

group of users: Group_A

        User: user1

Password: Password2

vpn 2:

ASA:

VPN Group                       : Group_B

PSK                                 : Very_Secret_B

Authentication server group: Group_B

                              Server: Tacacs

Tacacs:

group of users: Group_B

        User: user2

Password: Password2

----------------------------------------------------

Problem is: if User1 know the PSK of Group2, he can successfully use VPN2. Same for user1.

Is there any option to disable user1 for Grpou_B???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Sun, 08/29/2010 - 13:15

There is a feature called group lock which does what you wan't, look for the option called Class/25, in there you put OU=; without the brackets, and the asa will only allow that user to login to that specific group policy. However i don't know if it works with tacacs, as it normally is sent as radius attributes

Actions

This Discussion