Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa to IAS Radius authentication

I've got a vpn client authentication working with an ASA running version 8.03 to an MS 2003 IAS server using the following link.

However with this configuration any Domain user can vpn in. How can I limit vpn access based on a Windows group?

  • AAA Identity and NAC

Re: asa to IAS Radius authentication

You can setup policy under IAS console to permits users who are members of a Active Directory group only to have vpn access. under the new policy setup attributes you can setup so access can be restricted to members of the AD group only.

To define a remote access policy, from the IAS console, right-click Remote Access Policies and click New Remote Access Policy.

In the New Remote Access Policy Wizard, select Set up a custom policy and type a policy name. Click Next.

Under the Policy Conditions box, click Add and then select the Windows-Groups attribute type.

Select the Active Directory user group whose access you want to restrict OR allow access. A summary of conditions to match for this policy is shown. You may add additional groups, but users must be a member of all the groups to be granted access. Click Next.

Select Grant or Deny remote access permission based on the group in AD and click Next.


Click Edit Profile to edit the dial-in properties for the remote access profile. This is where Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) authentication and VSAs are enabled. Click the Authentication tab and clear the Microsoft Encrypted Authentication check boxes. Select the Encrypted authentication (CHAP) and Unencrypted authentication (PAP, SPAP) check boxes.

you can get some ideas from this link:

Re: asa to IAS Radius authentication

please rate if this helped