Showing results for 
Search instead for 
Did you mean: 

ASA Radius authentication concerns


Hello I am setting up an ASA to authenticate users to a radius box.  However once they are set up whats to stop them from getting another pcf file and authenticating with that pcf file and accessing the networks specific to that pcf file?  Is there a way to segment users?  Once I set up the radius authentication can a user just use whatever pcf file they want and authentica that way?

7 Replies 7

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

If you don't take any precautions, then it is possible that a user connects with a different PCF. You can configure group-lock or better, use a default group-policy that won't allow any access and assign the right group-policy with the RADIUS authorization-response.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Just adding to Karsten's recommendation, this guide shows how to use the ACS to assign the group-policy with the class attribute:

After assigning the attribute for allowed users you can just set a default group-policy denying access, similar to the following:

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

It can also be done with a Microsoft server using RADIUS policies to assign attribute 25

So with the group policies if one of my customers gets ahold of a pcf file they won't be able to authenticate?  Wouldn't they just authenticate under a different group?

That's what the group-lock feature Karsten suggested is for, it will bind a tunnel-group to a group-policy, if you authenticate to a tunnel-group but the RADIUS mapping sends you to a group-policy different than the one specified in the group-lock value your connection attempt will be denied.

Further reading:

Herbert's reply offeres a very good explanation on how this feature works.


Just adding more information about group-lock and RADIUS:

How to configure group lock through the RADIUS server on an ASA



Please rate any posts you find helpful.

Thank you for all your help!

Hi Jeff,

You are welcome

Please take 1 minute to rate any posts you found helpful and mark it as answered.

Message was edited by: Javier Portuguez

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers