Hello I am setting up an ASA to authenticate users to a radius box. However once they are set up whats to stop them from getting another pcf file and authenticating with that pcf file and accessing the networks specific to that pcf file? Is there a way to segment users? Once I set up the radius authentication can a user just use whatever pcf file they want and authentica that way?
If you don't take any precautions, then it is possible that a user connects with a different PCF. You can configure group-lock or better, use a default group-policy that won't allow any access and assign the right group-policy with the RADIUS authorization-response.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
Just adding to Karsten's recommendation, this guide shows how to use the ACS to assign the group-policy with the class attribute:
After assigning the attribute for allowed users you can just set a default group-policy denying access, similar to the following:
group-policy NOACCESS internal
group-policy NOACCESS attributes
It can also be done with a Microsoft server using RADIUS policies to assign attribute 25
So with the group policies if one of my customers gets ahold of a pcf file they won't be able to authenticate? Wouldn't they just authenticate under a different group?
That's what the group-lock feature Karsten suggested is for, it will bind a tunnel-group to a group-policy, if you authenticate to a tunnel-group but the RADIUS mapping sends you to a group-policy different than the one specified in the group-lock value your connection attempt will be denied.
Herbert's reply offeres a very good explanation on how this feature works.
Just adding more information about group-lock and RADIUS:
Please rate any posts you find helpful.
You are welcome
Please take 1 minute to rate any posts you found helpful and mark it as answered.
Message was edited by: Javier Portuguez