Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 3005 and ACS and Microsoft AD.


I have a scenario were we have two groups in the VPN 3005, group1 and group2. I also have two users, user1 and user2 who are authenticated in AD via the ACS. What I want to accomplish is to tie user1 with group1 and user2 with group2. For examle, if user1 gets hold of user2s account and password or user2s group2 id and password he will not be able to login. If something in this scenario is not clear please let me now.

Best Regards

Robert Maras

  • AAA Identity and NAC
Cisco Employee

Re: VPN 3005 and ACS and Microsoft AD.

In user1's profile on the ACS server, send back Radius attribute 25 (Class) in the form:


It's case-sensitive, and don't forget the semi-colon. The 3000 will receive this and put user1 into group1, regardless of what group they have configured in their VPN client.

I don't think you can actually stop user1 from logging in, but this way they'll always be in the correct group. If user1 does happen to get user2's username and password though, there's nothing you can do for this, since how does the 3000 now that user1 is actually sitting at the keyboard and using user2's username.

New Member

Re: VPN 3005 and ACS and Microsoft AD.

The VPN 3000 Concentrator has the ability to lock users into a Concentrator group which will override the group the user has configured in the VPN 3000 client. In this way, access restrictions can be applied to various groups configured on the Concentrator with the assurance that the users are locked into that group with the RADIUS server.

For more details on how to config it, check the following URL

This widget could not be displayed.