Showing results for 
Search instead for 
Did you mean: 

Cisco ASA with multiple groups for one user

Hi Experts

I have a setup with 1 ASAv used for AnyconnectVPN.
This is what I want to do:

1. I have 3 different users, User1, User2 and User3.
2. Authenication is done via Radius towards a Microsoft NPS-server.
3. User1 is member of AD-group Group1-remote
4. User2 is memeber of AD-group Group2-remote
5. User3 is member of both Group1-remote and Group2-remote
6. I have created 2 tunnel-groups, Group1 with group-url https://x.x.x.x/group1 and address-pool Group1, and Group2 with group-url https://x.x.x.x/group2 and address-pool Group2

When connecting to https://x.x.x.x/group1 using user1 or user3 I get authenticated and assigned IP-address from the address-pool Group1.
When connecting to https://x.x.x.x/group2 using user2 I get authenticated and assigned IP-address from the address-pool Group2.
But when connecting to https://x.x.x.x/group2 using user3 I authentication failed.

The reason for having this setup is that user3 should have access to 2 diffent network on the inside, but when user3 are connected to network1 he is not allowed to have access to network2, and vice versa.

Anyone who can point me in the right direction to solve this?


VIP Mentor

Hi @PaulMalqmvist 

What is the error in the NPS logs when user3 fails authentication?


The problem you might face is if someone connects to the wrong tunnel-group. You can amend your NPS rules to use "Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name" AND AD Groupname. So you only authenticate AD-Group1 users to Tunnel-Group1 and another for AD-Group2 and Tunnel-Group2.




Hi Rob

Thanks for your answer.

It's not the NPS that reject the logon, it's the ASA because the NPS returns Group1 and Group2 as attribute 25, but ASA only look at the first attribute in this case.

So I need something in the ASA to be able to differentiate between the 2 differnt URL's.


VIP Mentor

Yes, that RADIUS AV I provided above will differentiate between whether the user connects from the different tunnel-groups. You will need 2 NPS rules, 1 for each tunnel-group/ad-group pair.


Hi Rob

Thank you for the answer.

Do you know howto configure this in Microsoft NPS, or point me to some documentation that describes this? I can't find out how to check the Radius attribute Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name in the conditions.