I have implemented Microsoft NPS and AAA on my Cisco ASA for vpn users and this is working with no issues. The next step I would like to take is use Microsoft NPS for level 15 access to my ASA for management. I did add this in the ASA but it allows any user access to the full command set. I did read where I need to pass service parameters down to the ASA but it appears by default access is wide open. Can I have multiple network polices for vpn users and network managers?
I switched over to LDAP and I am using the ldap attribute map which appears to accomplish what I need. The only issue that I have come across during testing is with users that don't have an attribute come across in the LDAP query. I was testing with the memberOf attribute and when users are not a member of any group then they are allowed ASDM full access. If they are a member of a group that I don't have defined then everything works fine. I am mapping memberOf to privilege level.