ACS 4.2 SE & Windows 2003, AD Group Restrictions?

Unanswered Question

Hi All,

I'm sure this question has already been asked and the solution is simple - however it does not appear to be obvious!

My requirement is to have an AD group called 'CiscoAdmins' and another called 'VPNUsers'. Using ACS I want to only authorise members of the 'CiscoAdmins' group to perform telnet/SSH etc. and only permit members of the 'VPNUsers' group to connect in remotely via an ASA firewall. So in other words, authentication should only PASS if the user is a member of a particular AD group.

We currenty have all authentication/accounting working as needed using TACACS - refering to (Windows Database NOT LDAP) AD for correct username/password. However, we've noticed that members of the 'CiscoAdmins' group can perform VPN authentication and visa-versa - which is not so good. This is despite setting up the AD/ACS group mapping etc. and re-ordering many many times!

Is TACACS OK or should we revert to RADIUS & the same goes for Windows Database v LDAP ..?

I've trawled the net and this forum to no avail - please help!

There must be a guide somewhere for this simple request surely?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Hi JG,

I've already seen that paper - and although descriptive am still none the wiser as it does not give any example. What property do I check against? as there is no AD group membership property ..

You HAVE however confirmed my thougts that a NAR is the way forward ..

Can you confirm that using TACACS is OK for what I want to do? i.e I will not need to revert to RADIUS or setup a LDAP database connection.

Are there any configuration examples to help?

Thanks again,


Jatin Katyal Wed, 09/16/2009 - 11:34
User Badges:
  • Cisco Employee,

Hi Staurt,

As you have two groups

CiscoAdmins // Should have ssh/telnet access // No access to vpn

VPNUsers // Should have access to VPN

// No access to ssh/telnet

Now, since in both session calling station id is an ip address. It can't be archived via NAR.

Here we also have to use radius protocol so please add ASA as a radius client in network configuration.

Try this:

On the Ciscoadmins group


we need to configure following attribute on ACS's Group or User :

For RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) check "[026/3076/085] Tunnel-Group-Lock"

and type any garbage value, Though on ACS you'll see successful authentication, but user will never be able to connect via VPN but they will be able to do ssh/telnet.

On the VPNUsers


You need to configure downloadable access-list. using this feature you can block ssh and telnet ports and user should have access only to VPN.

Let me know if you have any query.




Jatin Katyal Wed, 09/16/2009 - 12:09
User Badges:
  • Cisco Employee,

Hi Staurt,

I do agree that there is pain configuring DACL :(.

If your AD start acting as LDAP server... this is far easier then what you are gonna do?




Hi JK,

So If I configured my AD as a 'Generic LDAP' rather than a 'Windows Database' it would make the configuration simpler?

Happy to do so if this is the case (likewise with choice between TACACS or RADIUS)...

I'm looking for the simplest configuration that will be easy to maintain ..

What would the configuration look like in this case?

Thanks again,


Jatin Katyal Wed, 09/16/2009 - 12:41
User Badges:
  • Cisco Employee,

In that case, ACS will not be of any use.

We have to completely by-pass the ACS and get the ASA integrated directly with LDAP server.

//AAA-server configuration//

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389


ldap-scope subtree

ldap-naming-attribute sAMAccountName



server-type microsoft

ldap attribute-map CISCOMAP

//Restricting VPN access//

ldap attribute-map CISCOMAP

map-name msNPAllowDialin IETF-Radius-Class

map-value msNPAllowDialin FALSE NOACCESS

map-value msNPAllowDialin TRUE ALLOWACCESS

You should have 2 group-policy (1 for allow access and 1 for deny access)

NOTE: On the AD, you can restrict users base on dial in access.

All info available in configuration example:

//Restricting SSh/telnet access//

map-name memberOf IETF-Radius-service-type

map-value memberOf service-type 6

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

Seems difficult but its not :)

Feel free to contact for any query.





This Discussion