Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Deny VPN access for specified groups


I have ACS and I use this authentication center for multiple devices. My issue is to deny VPN access for some groups, and allow for other. Clients are connected to ASA, maybe the solution can be an cisco-av-pair attribute or something else.

Please do some suggestion.

Thanks in advance.



Cisco Employee

Re: Deny VPN access for specified groups


You can define a Network Access Restriction (NAR) to deny access to ASA for the group which should not have access to VPN.

More on NARs at :-



New Member

Re: Deny VPN access for specified groups

If you need to deny access request coming some of your NAS, you can use NAR( Network Access Restrictions) at ACS. NAR alows you to define which user should connect to which NAS

If you want to deny access request for some of the vpn group at ASA, you can basicly select an different Authentication server for that group.


Re: Deny VPN access for specified groups


Sorry but I couldn't catch the solution still now.

On my ASA I have GROUP1 and GROUP2 VPN groups for remote VPN connections. In my ACS I define two groups GROUP1-USER and GROUP2-USER, what I want to reach that GROUP1-USER will be able to access GROUP1 profile etc. And I want to do this limitation on ACS (using External database: Windows group mapping).

If you can please send me some usefule link or better if you can a short configuration guide for this limitation anyway the authentication works well from ACS using External Database.

Thanks in advance


Cisco Employee

Re: Deny VPN access for specified groups

You want to restrict GROUP1-USER's users to GROUP1 on ASA and GROUP2-USER's users to GROUP2 on ASA ?

If yes, then on GROUP1-USER on ACS select RADIUS IEFT attribute 25 - CLass and set it to ou=GROUP1;

Likewise On GROUP2-USER set class to ou=GROUP2;



Re: Deny VPN access for specified groups

OK, it sounds good. Do I need some extra config on ASA? Like authorization or something if yes can you explain?



Cisco Employee

Re: Deny VPN access for specified groups

No we will not require any thing apart from the authentication command.

Make sure OU is in capital letters and that there is a semicolon after the group name in ACS class attribute.


Re: Deny VPN access for specified groups

It doesn't work for me.

aaa-server ACS protocol radius

aaa-server ACS host x.x.x.x

key keykeykeykey

tunnel-group TG general-attributes

address-pool TG-Pool

authentication-server-group ACS

default-group-policy TG

And in the ACS the ASA is set as RADIUS (Cisco VPN 3000/ASA/PIX 7.x+), but I tried with RADIUS IETF too. The Class attributes is OU=VPNGROUP;

Anway the VPN works well. What can be the problem?

I use External Datbase Mapping in ACS.

Thanks in advance.



Cisco Employee

Re: Deny VPN access for specified groups

Asa works differently - Not as concentrator etc.

With Asa the Class attribute will just provide the group policy name and not the group name.

The group policy on the Asa will then have the group to which the users needs to be bound.

Let's say you want to lock user rj123 into group RemoteGroup. Then on the

radius server define IETF attribute 25 Class "OU=RemotePolicy;" for this user. Here is the

config on the ASA:

group-policy RemotePolicy internal

group-policy RemotePolicy attributes

dns-server value

group-lock value RemoteGroup

Basically the OU set the group policy for this user and in the group policy

you lock the user into the tunnel-group that you want.

CreatePlease to create content