Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN-Tunnel group issue

In our organization we are using Cisco ASA 5540 (ISO version 8.4(3)12) for allowing IPSec VPN access to employees and vendor over internet. Employees are authenticated against Active Directory (via ACS) and vendors with locally created accounts on the ACS. The user groups in ACS are mapping with ADS groups for VPN access.

  • In the ASA, there are mainly three tunnel-groups created for Employee (administrators and general user) and Vendor. Access to the internal network is provided based on tunnel-group.
  • In Active Directory groups/OUs are created for administrators and general users.
  • In Radius (ACS) there are three group administrators, general user and vendors. Administrators and general users are mapped to their respective groups in AD and vendors group is locally created in ACS.

Following are our observations and issue:

1.      General user can login to administrator Tunnel-group and administrator can login to general user profile.

2.      Also, vendor can login to employee profiles (administrators and general user).

3.      User group is not restricted to VPN Tunnel-groups.

Cisco Employee

VPN-Tunnel group issue

You can configure ACS to assign users to a specific group-policy.

Here is the sample configuration for your reference:

Hope that helps.

New Member

VPN-Tunnel group issue

I have cheked the configuration and is perfectly fine,still i am facing the above issue...

Having users in multiple group policy have anything to do with this?

And groups created locally in ACS are able to connect through any profile...

CreatePlease login to create content