diff --git a/usr.sbin/ctld/ctl.conf.5 b/usr.sbin/ctld/ctl.conf.5
index d44caa80803..87e35929971 100644
--- a/usr.sbin/ctld/ctl.conf.5
+++ b/usr.sbin/ctld/ctl.conf.5
@@ -103,7 +103,7 @@ The following statements are available at the auth-group level:
 .Bl -tag -width indent
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given auth-group.
 .It Ic chap Ao Ar user Ac Aq Ar secret
@@ -157,7 +157,7 @@ Another predefined auth-group, "no-authentication", may be used to permit access
 without authentication.
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given target.
 This clause is mutually exclusive with auth-group; one cannot use
diff --git a/usr.sbin/ctld/ctld.c b/usr.sbin/ctld/ctld.c
index a4574820b8d..c5f5771d51b 100644
--- a/usr.sbin/ctld/ctld.c
+++ b/usr.sbin/ctld/ctld.c
@@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_group *ag, const char *str)
 
 	if (strcmp(str, "none") == 0) {
 		type = AG_TYPE_NO_AUTHENTICATION;
+	} else if (strcmp(str, "deny") == 0) {
+		type = AG_TYPE_DENY;
 	} else if (strcmp(str, "chap") == 0) {
 		type = AG_TYPE_CHAP;
 	} else if (strcmp(str, "chap-mutual") == 0) {
diff --git a/usr.sbin/ctld/ctld.h b/usr.sbin/ctld/ctld.h
index 0982ef12961..ce161b6dc05 100644
--- a/usr.sbin/ctld/ctld.h
+++ b/usr.sbin/ctld/ctld.h
@@ -66,9 +66,10 @@ struct auth_portal {
 };
 
 #define	AG_TYPE_UNKNOWN			0
-#define	AG_TYPE_NO_AUTHENTICATION	1
-#define	AG_TYPE_CHAP			2
-#define	AG_TYPE_CHAP_MUTUAL		3
+#define	AG_TYPE_DENY			1
+#define	AG_TYPE_NO_AUTHENTICATION	2
+#define	AG_TYPE_CHAP			3
+#define	AG_TYPE_CHAP_MUTUAL		4
 
 struct auth_group {
 	TAILQ_ENTRY(auth_group)		ag_next;
diff --git a/usr.sbin/ctld/login.c b/usr.sbin/ctld/login.c
index 9dea58ef54f..ceabd927f74 100644
--- a/usr.sbin/ctld/login.c
+++ b/usr.sbin/ctld/login.c
@@ -1030,6 +1030,11 @@ login(struct connection *conn)
 		return;
 	}
 
+	if (ag->ag_type == AG_TYPE_DENY) {
+		login_send_error(request, 0x02, 0x01);
+		log_errx(1, "auth-group type is \"deny\"");
+	}
+
 	if (ag->ag_type == AG_TYPE_UNKNOWN) {
 		/*
 		 * This can happen with empty auth-group.
diff --git a/usr.sbin/ctld/parse.y b/usr.sbin/ctld/parse.y
index 30f7c9fd038..463479bdc9d 100644
--- a/usr.sbin/ctld/parse.y
+++ b/usr.sbin/ctld/parse.y
@@ -729,13 +729,9 @@ conf_new_from_file(const char *path)
 	assert(ag != NULL);
 	ag->ag_type = AG_TYPE_NO_AUTHENTICATION;
 
-	/*
-	 * Here, the type doesn't really matter, as the group doesn't contain
-	 * any entries and thus will always deny access.
-	 */
 	ag = auth_group_new(conf, "no-access");
 	assert(ag != NULL);
-	ag->ag_type = AG_TYPE_CHAP;
+	ag->ag_type = AG_TYPE_DENY;
 
 	pg = portal_group_new(conf, "default");
 	assert(pg != NULL);
@@ -765,7 +761,7 @@ conf_new_from_file(const char *path)
 		    "going with defaults");
 		ag = auth_group_find(conf, "default");
 		assert(ag != NULL);
-		ag->ag_type = AG_TYPE_CHAP;
+		ag->ag_type = AG_TYPE_DENY;
 	}
 
 	if (conf->conf_default_pg_defined == false) {