VPN-Tunnel group issue

sharath86 · ‎06-07-2012

In our organization we are using Cisco ASA 5540 (ISO version 8.4(3)12) for allowing IPSec VPN access to employees and vendor over internet. Employees are authenticated against Active Directory (via ACS) and vendors with locally created accounts on the ACS. The user groups in ACS are mapping with ADS groups for VPN access.

In the ASA, there are mainly three tunnel-groups created for Employee (administrators and general user) and Vendor. Access to the internal network is provided based on tunnel-group.
In Active Directory groups/OUs are created for administrators and general users.
In Radius (ACS) there are three group administrators, general user and vendors. Administrators and general users are mapped to their respective groups in AD and vendors group is locally created in ACS.

Following are our observations and issue:

1. General user can login to administrator Tunnel-group and administrator can login to general user profile.

2. Also, vendor can login to employee profiles (administrators and general user).

3. User group is not restricted to VPN Tunnel-groups.

Jennifer Halim · ‎06-07-2012

You can configure ACS to assign users to a specific group-policy.

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

Hope that helps.

sharath86 · ‎06-10-2012

I have cheked the configuration and is perfectly fine,still i am facing the above issue...

Having users in multiple group policy have anything to do with this?

And groups created locally in ACS are able to connect through any profile...