Group Lock issue, with RADIUS

Unanswered Question
Feb 28th, 2007

I am trying to what seemes to be an simple issue, but !!!

group lock works with attribute 25, but if a user is sent for example to the default group on the ACS or any group where option 25 is not configured ( or configured to some value not avalable on the ASA ) the group lock policy is not enforced, I.E. the users gets in fine no matter what VPN group he is in

is that normal behavior ??



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
b.hsu Tue, 03/06/2007 - 07:21

this is normal. it's the ASA does the group lock and not ACS. ACS just returns the group-name that the user should be in and the ASA does the checking!!.

ACS only checks the username/password, if they are valid it RETURNS (not check) the OU attribute.

Try this link:


This Discussion