Limit Telnet => ASA to one AD group

Unanswered Question
Aug 18th, 2009

I want to restrict CLI access to our ASA 5510 to one Active Directory group. Currently the ASA authenticates against our LDAP/AD server, and anyone in the organization can log into the ASA using HyperTerminal (enable password is another matter, however).

How can I narrow such access to only our IT group, which has its own AD container?

Thanks in advance,

-- Bill

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Tue, 08/18/2009 - 12:24

You need to specify that OU where these ppl are located in the base dn string in the aaa definition of your LDAP server, then your asa will only look in that part of your AD.

william-white Tue, 08/18/2009 - 13:08

OK, this is valuable. Would this also limit VPN access to the people in that OU? I want to limit only telnet into the CLI.

Jatin Katyal Tue, 08/18/2009 - 14:56

No, this won't restrict access for VPN users in that OU because we are only configuring it for TELNET access.

Here is a config example:

aaa-server protocol ldap

aaa authentication telnet console LOCAL

aaa authorization exec authentication-server

ldap attribute-map

map-name memberOf IETF-Radius-service-type

map-value memberOf service-type 6

aaa-server host

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map

For more info, you may refer:

Limiting User CLI and ASDM Access with Management Authorization

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgacc

ess.html#wp1070306

Hope this helps.

william-white Wed, 08/19/2009 - 08:19

Thanks for the help on this. What I've done is to remove AD/Radius authentication entirely from ASA login (ASDM,Telnet,SSH), going strictly with LOCAL accounts. This ensures run-of-the-mill users can't sign into the ASA over the network, and contiues access in case my AD server goes down and I need to get into the ASA.

Actions

This Discussion