cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
887
Views
0
Helpful
4
Replies

Limit Telnet => ASA to one AD group

william-white
Level 1
Level 1

I want to restrict CLI access to our ASA 5510 to one Active Directory group. Currently the ASA authenticates against our LDAP/AD server, and anyone in the organization can log into the ASA using HyperTerminal (enable password is another matter, however).

How can I narrow such access to only our IT group, which has its own AD container?

Thanks in advance,

-- Bill

4 Replies 4

jan.nielsen
Level 7
Level 7

You need to specify that OU where these ppl are located in the base dn string in the aaa definition of your LDAP server, then your asa will only look in that part of your AD.

OK, this is valuable. Would this also limit VPN access to the people in that OU? I want to limit only telnet into the CLI.

No, this won't restrict access for VPN users in that OU because we are only configuring it for TELNET access.

Here is a config example:

aaa-server protocol ldap

aaa authentication telnet console LOCAL

aaa authorization exec authentication-server

ldap attribute-map

map-name memberOf IETF-Radius-service-type

map-value memberOf service-type 6

aaa-server host

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map

For more info, you may refer:

Limiting User CLI and ASDM Access with Management Authorization

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgacc

ess.html#wp1070306

Hope this helps.

~Jatin

Thanks for the help on this. What I've done is to remove AD/Radius authentication entirely from ASA login (ASDM,Telnet,SSH), going strictly with LOCAL accounts. This ensures run-of-the-mill users can't sign into the ASA over the network, and contiues access in case my AD server goes down and I need to get into the ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: