Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Group ACLs on ASA for SSL VPN


ASA 5520 VPN Plus Software Version 7.2(2)

SSLClient Windows Version

ACS 4.1 Solution Engine

I have a client that wishes to configure multiple groups for SSL VPN access. They would like for instance to have 2 groups:



They then want to disable split-tunneling for all groups, and for each group have a different ACL applied to filter traffic. For example they want users in the vendeor group to only have access to a DNS server for DNS and then RDP to a Windows server. All of this they want authenticated by AD through ACS. Is the way to accomplish this through NAC, or is there another way?

Thanks in advance for any help.

New Member

Re: Group ACLs on ASA for SSL VPN

OK, let me clarify... I have everything, including the filters, working except for tying a user to a specific group. I just don't know how to tie a user to a specific tunnel group, when that user is being authenticated via ACS. How do I do that?

The end goal is to make sure that a user cannot use a group other than what what we want. Ie. a vendor can't use the user group to bypass ACL restrictions. Is this done with "group lock"?

New Member

Re: Group ACLs on ASA for SSL VPN

This is out of the ASA Configuration Guide:

Using the Security Appliance Authentication Server

You can configure users to authenticate to the security appliance internal authentication server, and

assign these users to a group policy on the security appliance.

Using a RADIUS Server

Using a RADIUS server to authenticate users, assign users to group policies by following these steps:

Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group


Step 2 Set the class attribute to the group policy name in the format OU=group_name

For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value

of OU=SSL_VPN; (Do not omit the semicolon.)

New Member

Re: Group ACLs on ASA for SSL VPN

Yeah, I've read that part. But what do you do on the ASA (if anything) to insure that it uses that information to keep those users in the respective groups?

New Member

Re: Group ACLs on ASA for SSL VPN

Its been a while since I set this up but I believe thats all you have to do. The group-lock feature is to tie a group policy to a tunnel group which we do also. We want the VPN connections to be very predictable.