Deny VPN Access to a User Group

When you do not want an authenticated user or user group to be able to use VPN, you can configure a group policy to deny VPN access. You can configure a group policy in a remote access VPN policy and reference it in the ISE or RADIUS server configuration for authorization.

Before you begin

Ensure that you have configured remote access VPN using the Remote Access Policy wizard and configured authentication settings for the remote access VPN policy.

Procedure


Step 1

On your Cisco Defense Orchestrator web interface, choose Devices > VPN > Remote Access.

Step 2

Select a remote access policy and click Edit.

Step 3

Select Advanced > Group Policies.

Step 4

Select a group policy and click Edit or add a new group policy.

Step 5

Select Advanced > Session Settings and set Simultaneous Login Per User to 0 (zero).

This stops the user or user group from connecting to the VPN even once.
Step 6

Click Save to save the group policy and then save the remote access VPN configuration.

Step 7

Configure ISE or the RADIUS server to set the Authorization Profile for that user/user-group to send IETF RADIUS Attribute 25 and map to the corresponding group policy name.

Step 8

Configure the ISE or RADIUS server as the authorization server in the remote access VPN policy.

Step 9

Save and deploy the remote access VPN policy.