If I do this, will it mean that anyone who can be authenticated on the radius server can log into the firewall?

Yes.

Depending on what Radius server it is, you may or may not be able to configure it to accept/reject the authentication based on some parameters like the ip address of the radius client.

But as far as the ASA is concerned, if the Radius server says it's ok, it lets the user in.

I assumed that that is what you wanted, since you were trying to implement this command?

I think what I was trying to do was use my radius box like a tacacs box. It doesn't seem like that would work. I'm using Windows 2003 IAS as a radius server to authenticate vpn clients, and don't want anyone who can vpn in login to the firewall. May have to look into setting up a tacas box.

Thanks for your help!

You could pass back the IETF service-type attribute on the radius server. You can then use this to restrict the access for these users.

Here is what is required for the

radius delivered service-type attribute to be enforced for CLI access:

"aaa authorization exec authentication-server" must be enabled

"aaa authentication enable console " must be enabled.

IETF RADIUS Service-Type attribute must be returned in the

access-accept packet.

Also note, make sure you are using a version of code with the fix for CSCsk89452

If you are using local authentication instead of radius this can also be done with the following commands:

username attributes

service-type <(admin,nas-prompt,remote-access)>

-heather