asa to IAS Radius authentication

Unanswered Question
Jan 2nd, 2008
User Badges:

I've got a vpn client authentication working with an ASA running version 8.03 to an MS 2003 IAS server using the following link.

However with this configuration any Domain user can vpn in. How can I limit vpn access based on a Windows group?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
francisco_1 Wed, 01/02/2008 - 15:43
User Badges:
  • Gold, 750 points or more

You can setup policy under IAS console to permits users who are members of a Active Directory group only to have vpn access. under the new policy setup attributes you can setup so access can be restricted to members of the AD group only.

To define a remote access policy, from the IAS console, right-click Remote Access Policies and click New Remote Access Policy.

In the New Remote Access Policy Wizard, select Set up a custom policy and type a policy name. Click Next.

Under the Policy Conditions box, click Add and then select the Windows-Groups attribute type.

Select the Active Directory user group whose access you want to restrict OR allow access. A summary of conditions to match for this policy is shown. You may add additional groups, but users must be a member of all the groups to be granted access. Click Next.

Select Grant or Deny remote access permission based on the group in AD and click Next.


Click Edit Profile to edit the dial-in properties for the remote access profile. This is where Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) authentication and VSAs are enabled. Click the Authentication tab and clear the Microsoft Encrypted Authentication check boxes. Select the Encrypted authentication (CHAP) and Unencrypted authentication (PAP, SPAP) check boxes.

you can get some ideas from this link:


This Discussion