Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

ASA VPN client locking

I am running an ASA with multiple VPN Client groups, all authenticating against the same AAA server. Is there a way of preventing a user connecting on an individual group if the know the PSK.

What I want to be able to do is publish the PCF files internally, but prevent unauthorised access.. i.e. only users in the Finance AAA group can connect to the Finance VPN, but everyone can connect to the Users VPN group.

I want to keep as much configuration on the ASA as possibly, with just authentication on the AAA, as we may change AAA server in the future.

New Member

Re: ASA VPN client locking

Search on the group-lock command on the cisco site

Re: ASA VPN client locking

First you will have to create multiple group-policies on ASA for different type of users.

Then you will have to configure the 25 radius attributes on ACS with the name of

the group-policy you want to have the user linked to.

After Successful authentication, ACS will include the attrib 25 (group-policy) in response. ASA will assign user the thr group policy it received from ACS.

After Authentication ACS will response back with Group-policy name and ASA will use that group-policy for the user.


Syed Iftekhar Ahmed

New Member

Re: ASA VPN client locking

I've recently just done this.

Syed has the acs part down.

Heres a sample config part for ASA.

group-policy VPNC_TEST_GP attributes

group-lock value TEST_VPN_GROUP

default-domain value MYDOMAIN.COM

tunnel-group TEST_VPN_GROUP type remote-access

tunnel-group TEST_VPN_GROUP general-attributes

address-pool TEST_POOL

authentication-server-group RAD_VPN_GRP LOCAL

accounting-server-group RAD_VPN_GRP

default-group-policy VPNC_TEST_GP

tunnel-group TEST_VPN_GROUP ipsec-attributes

pre-shared-key *


On ACS, Group setting Radius IETF ATTR 25



CreatePlease to create content