Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote Access group authentication with VPN3060, ACS

I want to configure authentication via ACS to ensure that users are using the correct client profile (some are more permissive than others, and I'd like to filter access in ACS). How can I configure ACS to check the group membership of a user when he's being authenticated via ACS?

Cisco Employee

Re: Remote Access group authentication with VPN3060, ACS

You can lock users into a specific group on the VPN3000 via ACS, that might be a better way to do it. Basically no matter what group the user has in their VPN client profile, they will be put into whatever VPN3000 group is specified in their ACS profile.

This works quite well where you can define a VPN3000 group with virtually no access to anything on the internal network, then distribute all your VPN clients with a profile connecting into that group. You then define specific other groups on the VPN3000 with specific network access, and then via the users profile on ACS you can lock them into that group, there's no way they can change it even if they change their VPN client profile.

Check out

for details.

If you don't want to do that specifically, you can specify ACL's and filters either on ACS and pass them down to the VPN3000, or define them on the VPN3000 and have ACS point to them. Check out

Hope that helps.

New Member

Re: Remote Access group authentication with VPN3060, ACS

Thanks, solution #1 is exactly what I wanted to do, I wasn't able to find it when I did a search, but I knew I could configure the group restriction somehow in ACS; I've configured other restrictions in ACS for wireless and dialup.

CreatePlease to create content