Cisco Support Community
Community Member

Group-lock and Windows IAS Radius - SSL clientless VPN on ASA


I have managed to get clientless SSL working using my Windows IAS radius server.

I have been trying to lock it down so only so only the Sales department can access SSL using the drop down menu on the logon screen called "sales" and the IT department can only use the drop sown menu called "IT".

I have been using the group-lock function on the ASA 5520 and on the IAS server I have been using the "class" attribute (attribute 25).

Everything is working fine for Sales if they are not in the correct Active Directory group they can't log in.

Now the interesting part is this. I created the IT part on the ASA and IAS server, so I have a drop down box saying "IT" and "Sales".

Problem is Sales can now log into Sales and IT, when I look on the IAS logs when I log into IT it says it used the Sales Policy on the IAS server.

It's like the group-lock is not working properly, once the authentiaction request gets sent to the IAS server it just looks in the any group until it finds me.


Re: Group-lock and Windows IAS Radius - SSL clientless VPN on AS

Any errors in configuration of Group-lock feature may cause this problem.In order to configure group lock, send the group policy name in the class attribute 25 on the Remote Authentication Dial-In User Service (RADIUS) server and choose the group in order to lock the user within the policy.

CreatePlease to create content