Limit Telnet => ASA to one AD group

Unanswered Question
Aug 18th, 2009
User Badges:

I want to restrict CLI access to our ASA 5510 to one Active Directory group. Currently the ASA authenticates against our LDAP/AD server, and anyone in the organization can log into the ASA using HyperTerminal (enable password is another matter, however).

How can I narrow such access to only our IT group, which has its own AD container?

Thanks in advance,

-- Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Tue, 08/18/2009 - 12:24
User Badges:
  • Gold, 750 points or more

You need to specify that OU where these ppl are located in the base dn string in the aaa definition of your LDAP server, then your asa will only look in that part of your AD.

william-white Tue, 08/18/2009 - 13:08
User Badges:

OK, this is valuable. Would this also limit VPN access to the people in that OU? I want to limit only telnet into the CLI.

Jatin Katyal Tue, 08/18/2009 - 14:56
User Badges:
  • Cisco Employee,

No, this won't restrict access for VPN users in that OU because we are only configuring it for TELNET access.

Here is a config example:

aaa-server protocol ldap

aaa authentication telnet console LOCAL

aaa authorization exec authentication-server

ldap attribute-map

map-name memberOf IETF-Radius-service-type

map-value memberOf service-type 6

aaa-server host


ldap-scope subtree

ldap-naming-attribute sAMAccountName



server-type microsoft


For more info, you may refer:

Limiting User CLI and ASDM Access with Management Authorization


Hope this helps.

william-white Wed, 08/19/2009 - 08:19
User Badges:

Thanks for the help on this. What I've done is to remove AD/Radius authentication entirely from ASA login (ASDM,Telnet,SSH), going strictly with LOCAL accounts. This ensures run-of-the-mill users can't sign into the ASA over the network, and contiues access in case my AD server goes down and I need to get into the ASA.


This Discussion