Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to lock user to multiple tunnel groups in ASA


I have a following question regarding the tunnel groups on ASA.

We have multiple user groups with different access level needs and a user can be part of a multiple groups.

Currently ASA (or VPN 3000) allows to lock a user to only one group. I see this as a serious limitation as there for example might be three groups:

- Billing (secure access only to certain systems)

- Human Resources

- General remote access (allowing access only to general services / internet)

And the user is only allowed to access two of the groups: Billing & General remote access. Now locking the user to one group doesn't accomplish this need.

So why doesn't ASA allow to define multiple groups on "tunnel group lock"?

Have anyone figured a scalable workaround for this problem?

As far as I can tell we might use different realms (for each tunnel group) on our authentication/authorization servers, but this would be a hack..




Re: How to lock user to multiple tunnel groups in ASA

You want to have VPN connections on an ASA with multiple security contexts. Am I right?

According to this, here is my action plan: Actually in multiple context mode the vpn tunnel functionality does not work.

Please look into this documentation:

I hope this helps.

New Member

Re: How to lock user to multiple tunnel groups in ASA

No, actually in single context, but I found a solution for the ASA limitation.

The solution was to use freeradius and realms to differentiate the different groups in ASA (VPN Groups).

The user log in to the wanted VPN group, using "username!group" which is defined as a realm in radius. Radius will verify if the username/pwd is correct and if the user has the right priviledge for the VPN group (realm).

When the user is allowed to use the VPN group, radius returns group-lock attribute back to ASA with the same group value as the user tried login to.

So the whole process enables us to allow the user to use his/her own username & password to authenticate to _selected_ VPN groups (no need to use certificates) without any limitation to either lock the user to _one_ group or allow access to _all_ groups.

CreatePlease to create content