We're using Cisco ACS as a radius server which uses active directory to authenticate users. All ssh logins to the ASA authenticate to that radius server.
We also use that Radius server for VPN authentication...the problem I'm having is that since we have to enable the dial-in property in AD to allow people to VPN, they are also able to SSh into the firewall, although since we also use command authorization they are not able to actually do anything. The VPN users group in radius is seperate form the network managment users group...is there a property or anything I can set to disable users in the VPN Users group from being able to login to the firewall?
Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.
Hope that helps.