I have managed to get clientless SSL working using my Windows IAS radius server.
I have been trying to lock it down so only so only the Sales department can access SSL using the drop down menu on the logon screen called "sales" and the IT department can only use the drop sown menu called "IT".
I have been using the group-lock function on the ASA 5520 and on the IAS server I have been using the "class" attribute (attribute 25).
Everything is working fine for Sales if they are not in the correct Active Directory group they can't log in.
Now the interesting part is this. I created the IT part on the ASA and IAS server, so I have a drop down box saying "IT" and "Sales".
Problem is Sales can now log into Sales and IT, when I look on the IAS logs when I log into IT it says it used the Sales Policy on the IAS server.
It's like the group-lock is not working properly, once the authentiaction request gets sent to the IAS server it just looks in the any group until it finds me.