Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Limit Telnet => ASA to one AD group

I want to restrict CLI access to our ASA 5510 to one Active Directory group. Currently the ASA authenticates against our LDAP/AD server, and anyone in the organization can log into the ASA using HyperTerminal (enable password is another matter, however).

How can I narrow such access to only our IT group, which has its own AD container?

Thanks in advance,

-- Bill

4 REPLIES

Re: Limit Telnet => ASA to one AD group

You need to specify that OU where these ppl are located in the base dn string in the aaa definition of your LDAP server, then your asa will only look in that part of your AD.

New Member

Re: Limit Telnet => ASA to one AD group

OK, this is valuable. Would this also limit VPN access to the people in that OU? I want to limit only telnet into the CLI.

Cisco Employee

Re: Limit Telnet => ASA to one AD group

No, this won't restrict access for VPN users in that OU because we are only configuring it for TELNET access.

Here is a config example:

aaa-server protocol ldap

aaa authentication telnet console LOCAL

aaa authorization exec authentication-server

ldap attribute-map

map-name memberOf IETF-Radius-service-type

map-value memberOf service-type 6

aaa-server host

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map

For more info, you may refer:

Limiting User CLI and ASDM Access with Management Authorization

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgacc

ess.html#wp1070306

Hope this helps.

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Limit Telnet => ASA to one AD group

Thanks for the help on this. What I've done is to remove AD/Radius authentication entirely from ASA login (ASDM,Telnet,SSH), going strictly with LOCAL accounts. This ensures run-of-the-mill users can't sign into the ASA over the network, and contiues access in case my AD server goes down and I need to get into the ASA.

319
Views
0
Helpful
4
Replies