Cisco Support Community
Community Member

SSL VPN - not allowed user can access to vpn


I'm running on ASAv9 and anyconnect to provide SSL VPN tunnel. Each tunnel give access to a different network from the outside on an unique public IP adress.

Each network tunnel can be mount with a unique URL like and

My users are identifiying by an external Radius (user1@domainA.local)

Everything works great except one thing : One user restricted to acces at the tunnelA can mount the TunnelB if it know the url of the tunnelB (with userID defined for tunnelA).

exemple, on anyconnect client, user1@tunnelB.local can open the tunnelA on the url

This is a huge security risk.

I don't know how it's possible.

I've configured each tunnel like this :  [Edit] See attached file for config, cannot paste plain text code

Anyone can explain me how to link a userID to a tunnel url or wathever ?

Maybe it's my radius server who don't recieve or determine witch domain try to be accessed when url of tunnelA was send, and can't match the url domain and user domain.

Thanks for reading.

Cisco Employee

SSL VPN - not allowed user can access to vpn

Have a look into group-lock  (it can be sent over RADIUS). Basically you can bind a particular user to a particular group.


Community Member

Re: SSL VPN - not allowed user can access to vpn

Thanks a lot for your reply, I will try it and come back to give some news.

If I've understand, I do modify my group-policy attributes to add :

     group-lock value

And and add adress-pool ip_pool to my tunnel-group like :

     tunnel-group my_tunnel-group type remote-access

     tunnel-group my_tunnel-group type general-attribute

          adress-pool ip_pool  <<< correspond to the ip local pool ... of this tunnel

          authentication-server-group RADIUS_SRV

          authorization-server-group RADIUS_SRV

          default-group-policy my_group-policy <<< Where my group-lock value is defined

right ?

CreatePlease to create content