The purpose of the Group-Lock feature is to make sure a user is only allowed to
login under a certain group. Without this feature, a user knowing other group’s
password may use the group’s name to authenticate with the server an gain
access to features not allowed for its native group. When the Group Lock feature
is enabled for a group, all Xauth usernames must be in the format
username@GROUP
username\GROUP
username/GROUP
username%GROUP
where GROUP is the ezVPN group name. The server will extract the group name
from the Xauth username and compare it with the ezVPN group name. If they
don’t match, the connection is rejected.
This automatically means that all names stored in the local database must follow
the syntax specified above. Notice that this Group Lock differs from the Group
Lock feature found in Cisco VPN 3000 concentrators and ASA firewalls.
IOS Group Lock only works with pre-shared keys authentication, not
digital signatures.
CCIE Security in 85 days. Is it doable? 