Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN groups

I am running asa804-k8.bin on ASA 5520.

License is: VPN Plus

We use VPN with cisco VPN-client.

for user authentication i am using tacacs server.

for example:

vpn 1:

ASA:

VPN Group                       :Group_A

PSK                                 :Very_Secret_A

Authentication server group: Group_A

                              Server: Tacacs

Tacacs:

group of users: Group_A

        User: user1

Password: Password2

vpn 2:

ASA:

VPN Group                       : Group_B

PSK                                 : Very_Secret_B

Authentication server group: Group_B

                              Server: Tacacs

Tacacs:

group of users: Group_B

        User: user2

Password: Password2

----------------------------------------------------

Problem is: if User1 know the PSK of Group2, he can successfully use VPN2. Same for user1.

Is there any option to disable user1 for Grpou_B???

Everyone's tags (2)
1 REPLY

Re: VPN groups

There is a feature called group lock which does what you wan't, look for the option called Class/25, in there you put OU=; without the brackets, and the asa will only allow that user to login to that specific group policy. However i don't know if it works with tacacs, as it normally is sent as radius attributes

593
Views
0
Helpful
1
Replies