VPN groups

Unanswered Question
Aug 10th, 2010
User Badges:

I am running asa804-k8.bin on ASA 5520.

License is: VPN Plus

We use VPN with cisco VPN-client.

for user authentication i am using tacacs server.

for example:

vpn 1:


VPN Group                       :Group_A

PSK                                 :Very_Secret_A

Authentication server group: Group_A

                              Server: Tacacs


group of users: Group_A

        User: user1

Password: Password2

vpn 2:


VPN Group                       : Group_B

PSK                                 : Very_Secret_B

Authentication server group: Group_B

                              Server: Tacacs


group of users: Group_B

        User: user2

Password: Password2


Problem is: if User1 know the PSK of Group2, he can successfully use VPN2. Same for user1.

Is there any option to disable user1 for Grpou_B???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Sun, 08/29/2010 - 13:15
User Badges:
  • Gold, 750 points or more

There is a feature called group lock which does what you wan't, look for the option called Class/25, in there you put OU=; without the brackets, and the asa will only allow that user to login to that specific group policy. However i don't know if it works with tacacs, as it normally is sent as radius attributes


This Discussion