Moddy,

If I understood your questions correctly - You want that a specific set or group of users on the ldap server should have access to your network devices ( like router/switches/ASA etc) through administrative session like telnet/ssh.

Assuming your ACS is already integrating with LDAP and can fetch all the LDAP groups. In case you're facing integrating ACS with LDAP. A very quick way to sort this out could be to first test by browsing the LDAP database with a free LDAP browser such as Softerra: http://softerra-downloads.com

Once you'll successfully bind and browse the tree with this browser, you can apply the same settings to ACS.

If that's what you need then I guess you can do it in two different ways:

1.] You can create users on the ACS > user setup > Under password authentication select LDAP as an external database. The same user should exist on the ACS local DB and on the LDAP server. However the password will be checked against LDAP only, the ACS password will not be checked if defined. Move all these users into a single group and configure Network access restriction on that group. How to configure NAR on ACS 4.x

2.] You can configure group mapping on ACS 4.x and map your ACS internal group with LDAP external groups. Fo all other combination select no-access group. On LDAP create a group and make users of that specific group only. On the ACS configure NAR on the mapped internal group. This way users who are part of that valid group on LDAP can only access the devices defined under NAR.  Group Mapping with generic LDAP

Let me know if you have any questions.

Regards,

     Jatin

** Do rate helpful posts**