Showing results for 
Search instead for 
Did you mean: 

Restrict local Admin user (mgmt purpose) to access VPN on ASA and IOS

Cisco Employee

How to configure it on ASA

We can try to accomplish this by using the group-lock attribute under the username attribute. for example 


username admin password admin
username admin attribute
group-lock value remote-1

Creating a tunnel-group with group-policy set to no-access.


hostname(config)# tunnel-group remote-1 type ipsec-ra
hostname(config)# tunnel-group remote-1 general-attributes
hostname)config)# default group-policy NOACCESS

You  can create a NOACCESS group-policy in order to deny the VPN connection  when the user should not have access to any VPN tunnel-group. This  configuration snippet is shown for your reference:



group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn

When user will try to connect to remote-1 (tunnel-group), he would always get NOACCESS (group-policy) where we have connection set to zero.

How to configure it on IOS

If local authentication is used, then the Group-Lock attribute is the only option to accomplish this task. The username in the local database must be of the following format:


crypto isakmp client configuration group VPNusers group-lock

! ----Now the user who should has access to VPN needs to be defined as:

username VPNUSER@VPNusers password <password>


!----The admin user who should not have access looks like
username admin password admin
username admin@xxxx password admin


VPNUSER is the username
VPNusers is the vpn group name

The admin user will not be able to connect as it doesn't has correct vpn group name as a suffix.

More information on Group-lock

The group lock feature, introduced in Cisco IOS 12.2(13)T, allows you to perform an extra authentication check during Xauth. With this feature enabled, the user must enter a username, group name, and user password during Xauth to authenticate. The username and group name can be entered in any of the following formats: "username/group name," "username\group name," "username%group name," or "username group name." The server compares the group name entered during Xauth with the group name sent for preshared key device authentication. If they do not match, the server denies the connection. To enable this feature, use the group-lock command for the group.

Cisco software does not strip the @group from the Xauth username, so the username user@group must exist in the local or external AAA database pointed to by the Internet Security Association Key Management Protocol (ISAKMP) profile selected at Phase 1 (machine group authentication).

Do not use the Group-Lock attribute if you are using RSA signature authentication mechanisms such as certificates. Use the User-VPN-Group attribute instead. The User-VPN-Group attribute is recommended regardless of whether preshared keys or the RSA signature is used as the method of authentication when an external AAA database is used.

Inputs/suggestion are always welcome

1 Comment

Hi Jatin,

Very helpful information for the users. Nice work.


Anim Saxena

Technical Community Manager - Security

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here