Switch User Manual
12-1
VPN 3000 Concentrator Series User Guide
CHAPTER
12
User Management
Groups and users are core concepts in managing the security of VPNs and in configuring the VPN 3000 
Concentrator. Groups and users have attributes, configured via parameters, that determine their access 
to and use of the VPN. Users are members of groups, and groups are members of the base group. This 
section of the VPN 3000 Concentrator Series Manager lets you configure those parameters.
Groups simplify system management. And to streamline the configuration task, the VPN Concentrator 
provides a base group that you configure first. The base-group parameters are those that are most likely 
to be common across all groups and users. As you configure a group, you can simply specify that it 
“inherit” parameters from the base group; and a user can also “inherit” parameters from a group. Thus 
you can quickly configure authentication for large numbers of users.
Of course, if you decide to grant identical rights to all VPN users, then you don’t need to configure 
specific groups. But VPNs are seldom managed that way. For example, you might allow a Finance group 
to access one part of a private network, a Customer Support group to access another part, and an MIS 
group to access other parts. Further, you might allow specific users within MIS to access systems that 
other MIS users cannot access.
You can configure detailed parameters for groups and users on the VPN Concentrator internal 
authentication server. External RADIUS authentication servers also can return group and user 
parameters that match those on the VPN Concentrator; other authentication servers do not. The Cisco 
software CD-ROM includes a 30-day evaluation copy of Funk Software’s Steel-Belted RADIUS 
authentication server and instructions for using it with the VPN Concentrator.
You can configure a maximum of 100 groups and users (combined) in the VPN Concentrator internal 
server, which is adequate for a small user base. For larger numbers of users, we recommend using the 
internal server to configure groups (and perhaps a few users); and using a RADIUS server to authenticate 
the users.
The VPN Concentrator checks authentication parameters in this order:
• First: User parameters. If any parameters are missing, the system looks at:
• Second: Group parameters. If any parameters are missing, the system looks at:
• (Third, for IPSec users only: IPSec tunnel-group parameters. These are the parameters of the IPSec 
group used to create the tunnel. The IPSec group is configured on the internal server.) If any 
parameters are missing, the system looks at:
• Last: Base-group parameters.
If you use a non-RADIUS server, only the IPSec tunnel-group or base-group parameters apply to users.










