Showing results for 
Search instead for 
Did you mean: 

Separate RADIUS Profiles for SSLVPN Group

Hello Guys,

Need some help here. We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.

1. Employees and clients will access the URL

2. They will select the appropriate group on where they should login.

3. Enter credentials, etc.

4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.

My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.

Can you guide me on how to restrict clientA to access the profile of clientB and vice versa. There will be around 30 client profiles and I want to make sure that they will only be authorized to access their respective profiles.

I read some articles on how this can be done on Cisco ACS 4.x but I'm using ACS 5.3.

Thanks in advance.


Everyone's tags (3)

Separate RADIUS Profiles for SSLVPN Group

Hi John,

For this you can use:

1- Group-lock.

ASA Group-Lock and IP Pools

2- Group-URL or group ALIAS.

ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

3- Radius authentication

ASA 8.0: Configure RADIUS Authentication for WebVPN Users

Let me know.



Please rate any post you find helpful.

Separate RADIUS Profiles for SSLVPN Group

I just found the solution. There's this option in Cisco ACS 5.3 where in you can define this, DAP-Tunnel-Group-Name. This will match the tunnel-group selected by the user and I created a conditional statement in the ACS that it should match the Identity Group of the user and the tunnel-group to make it a pass.

I'm still trying to figure out my way here on SSLVPN but can you help me understand what a group-lock is? I have it on my configuration but I do not know its purpose.



Cisco Employee

Separate RADIUS Profiles for SSLVPN Group

Hi John,

The group-lock option restricts the group policy so it can only be use with the tunnel-group that is lock to it, if you send a group policy using the attributte 25 (Class) the users on that specific group will be getting only that group-policy and if the policy they are getting is link to a tunnel group (using the group-lock) they should be only able to connect to the tunnel group you defined on the group-lock command any other attempt would be deny.


Luis Ramirez

VPN Team

Cisco TAC Support Engineer

Re: Separate RADIUS Profiles for SSLVPN Group


Please check Luis's explanation which is pretty clear (5 stars).

On the other hand, to give you a little bit more information to read:


Usage Guidelines

To disable group-lock, use the group-lock none command.

Group-lock restricts users by checking if the group configured in the VPN Client is the same as the tunnel group to which the user is assigned. If it is not, the ASA prevents the user from connecting. If you do not configure group-lock, the ASA authenticates users without regard to the assigned group.


The following example shows how to set group lock for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# group-lock value tunnel group name

From the ASDM:

Let me know if you have any further questions.


Please rate any post you find helpful.