To restrict an Active Directory Group to a single VPN Tunnel Group


Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET”

Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.

  1. Log into the Cisco ACS
  2. Create a New Network Access Authorization Profile under Policy Elements-> Authorization and Permissions-> Network Access->Authorization Profiles
  1. Create a new Profile
  2. Name the set to match the desired AD VPN Group Name
  1. Example Name: ‘RG_VPN_ITNET”
  2. On the RADIUS Attributes tab, add the following
  1. Dictionary Type: RADIUS-IETF
  2. RADIUS Attribute: 25 – Class
  3. Fill in the group-policy name from the asa tunnel-group in the bottom field box.
  1. Example: “OU=GP_VPN_ITNET;”
  • Create new rule under “Radius-CPS Remote Access” object in Access Policies->Services Access
  • Name the Authorization Rule. Example: “RG_VPN_ITNET”
    1. Conditions: AD1:ExternalGroups: use the desired AD VPN group. Example :” Groups/Resource groups/VPN/RG_VPN_ITNET” specify the Authorization Profile “RG_VPN_ITNET”
  • Move the Authorization Rule: above the existing rules.
  • Connect to the ASA Unit where the remote access VPN tunnel-group configuration exists.
  • Config t
    group-policy GP_VPN_ITNET attributes
    group-lock value TG_VPN_ITNET

    1. Test the VPN client connects successfully for a member of the Active Directory group.