Cisco ASA AnyConnect VPN group lock

I'm going to paste a recipe from Cisco Forum, this recipe explains how to set a tunnel lock into AnyConnect. It is very important because if you don't apply this policy any user with authorised credentials in the radius will be able to login in any VPN tunnel.

ORIGINAL POST FROM Jatin Katyal  (Thanks)

Introduction
Steps needs to be followed on the Microsoft Radius server to configure group-lock and tunnel-group-lock

Configuration Steps

• Go to Remote Access Policies.
• Go to the remote access policy/network policy, make a right click on the policy and click on the "Properties"
• Click on Edit Profile.
• Click on Advanced Tab settings and add ( For IAS)
• Click on settings (For NPS)
• Scroll down to "Vendor-Specific" Radius attribute.
• Select it, from scroll down use custom and click on Add.
• Make sure Attribute Number is set to 26.
• Click on Add.
• Enter Vendor Code: 3076.
• Select radio button : Yes. It confirms.
• Click on Configure Attributes.
• Vendor-Assigned attribute number: 25 (group-lock) and 085 (tunnel-group-lock)
• Attribute format: String.
• Attribute Value: <group-policy-name> or <tunnel-group name>
• Apply. 

In order to troubleshoot any issues look at event-viewer logs on Radius server.

Configure NPS Event Logging
NPS Events and Event Viewer

Finally, this document with ASA AAA configuration documentation could be useful too:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.pdf