08-18-2009 09:00 AM - edited 03-10-2019 04:39 PM
I want to restrict CLI access to our ASA 5510 to one Active Directory group. Currently the ASA authenticates against our LDAP/AD server, and anyone in the organization can log into the ASA using HyperTerminal (enable password is another matter, however).
How can I narrow such access to only our IT group, which has its own AD container?
Thanks in advance,
-- Bill
08-18-2009 12:24 PM
You need to specify that OU where these ppl are located in the base dn string in the aaa definition of your LDAP server, then your asa will only look in that part of your AD.
08-18-2009 01:08 PM
OK, this is valuable. Would this also limit VPN access to the people in that OU? I want to limit only telnet into the CLI.
08-18-2009 02:56 PM
No, this won't restrict access for VPN users in that OU because we are only configuring it for TELNET access.
Here is a config example:
aaa-server
aaa authentication telnet console
aaa authorization exec authentication-server
ldap attribute-map
map-name memberOf IETF-Radius-service-type
map-value memberOf
aaa-server
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map
For more info, you may refer:
Limiting User CLI and ASDM Access with Management Authorization
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgacc
ess.html#wp1070306
Hope this helps.
08-19-2009 08:19 AM
Thanks for the help on this. What I've done is to remove AD/Radius authentication entirely from ASA login (ASDM,Telnet,SSH), going strictly with LOCAL accounts. This ensures run-of-the-mill users can't sign into the ASA over the network, and contiues access in case my AD server goes down and I need to get into the ASA.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: