Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel-group Lock on ACS 3.3 (11)

Dear Support Team

We have a new SSL VPN Deployment with the following details.

ASA 5520 ( Ver 8.4(2))

ACS 3.3(11)

I want to authenticate & authorize the SSL VPN Users against ACS. Primary goal of authorization through ACS is that users can only login to their groups and not to other groups.for example in the SSL portal, users can select any group, but they should only be allowed to login to their group, it is so easy, if all the users are configured on ASA (using tunnel-group lock) feature, but users are on ACS and therefore ACS has to do the authorization.

ASA is added as a Radius Client on ACS.

on ACS 3.3x, radius paramters ( IETF/ IOS/PIx) " Tunnel-group-Lock " parameter is not available.

What is the equivalent of tunnel-group-lock on ACS 3.3x, how we can enforce authorization using existing ACS. will the following work.

Radius IOS/PIX # Cisco [009/001] av-pair :


Radius IETF #  (Tried with it, but no luck)

[006] Service Type

[025] Class

[081] Tunnel Private-group ID

[082] Tunnel Assignment ID.



Everyone's tags (4)
CreatePlease login to create content