My setup is like this:

VPN client-->Concentrator 3030 --> PIX--> Microsoft IAS (Radius)-->Microsoft ActiveDirectory.

I use group authentication enabled for the client to authenticate with the concentrator and then for the user authentication MS Active directory is used through a Radius server (microsoft IAS).

a) All the remote users connect to the Cisco VPN concentrator using the local profile(.pcf). There are two profiles available with one having more access privileges on the lan and other is having very limited access.

(b) The remote client first uses Group Authentication method to authenticate to the VPN concentrator using the username and encrypted password stored in the local profile (*.pcf).

(c) After that the user will get authenticated on to the LAN by the Active Directory through IAS (RADIUS) server.

Since the local profile(.pcf) is stored on the client side, which also has a factor which determines the type of privilege (either more or less privileges), he gets on the network. So currently, if a remote client who supposed to have very limited access on the LAN, obtains a privileged access profile to connect, the risk is high since he gets more privileges on the LAN.

Currently I noticed that some users copy the more privileged access profile themselves and replaced it with their original profile file to obtain more access.

Any help/advice on how to control this or is there any alternate solution available on VPN concentrator or on Microsoft IAS (RADIUS)/Active Directory?