Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 (8.0) VPN Groups and Radius (IAS)

I've got an ASA 5520 8.0(3) setup with two RA VPN groups - a "normal" user vpn group and an "Admin" user vpn group. With the Cisco VPN client, it's fairly easy to ensure only admin folks get the Admin PCF file. However, I recently setup SSL VPN as well (using the same groups). I've set the SSL URLs such that a user going to goes to the normal user vpn...and a user going to uses the Admin profile. This all works, but there is nothing stopping a regular user from hitting the /Admin site if they somehow learn about it. I want to make sure that the /Admin tunnel can only be accessed by users in a specific AD group. Currently, to connect to the vpn, all users (normal and admin) have to be a member of the "VPN Users" group. How can I permit/deny access to a certain tunnel group based on AD group with Radius (IAS Win 2003)?


Re: ASA 5520 (8.0) VPN Groups and Radius (IAS)

You may need to explore a bit and look into this feature Dynamic Access Policies which seems it may fit your requirements, provided you are using LDAP/AD/RADIUS for your vpn groups.