01-30-2018 02:40 AM - edited 02-21-2020 07:14 AM
Hello!
I'd like to configure access for Cisco ASA administration for a specific domain group. To this end, I indicated that only members of the "Cisco ASA Admins" group can log in through the SSH or ASDM to the firewall.
But during testing I found out that any member of the domain can log in with privileged rights to Cisco ASA. Tell me, please, where is the error?
ldap attribute-map Cisco_ASA_Admins map-name memberOf IETF-Radius-Service-Type map-value memberOf memberOf "CN=Cisco ASA Admins,OU=Services Security Groups,OU=Groups,OU=XXX,DC=XXX,DC=local" aaa-server Cisco_ASA_Admins protocol ldap aaa-server Cisco_ASA_Admins (Servers) host y.y.y.y ldap-base-dn DC=XXX,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=cisco.srv.account,OU=Services Accounts,OU=Users,OU=XXX,DC=XXX,DC=local server-type microsoft ldap-attribute-map Cisco_ASA_Admins user-identity default-domain LOCAL aaa authentication enable console Cisco_ASA_Admins LOCAL aaa authentication http console Cisco_ASA_Admins LOCAL aaa authentication ssh console Cisco_ASA_Admins LOCAL aaa authorization command LOCAL
Solved! Go to Solution.
01-30-2018 06:01 AM
You can use radius. You could activate the Network Policy and Access Services role on your DC.
You can then configure a policy to permit the desired groups to access the ASA.
01-30-2018 04:12 AM
As far as I know the ldap attribute-map can be used only for restricting VPN access and not for management access to the ASA .
HTH
Bogdan
01-30-2018 04:35 AM
Thanks for the answer.
How can I setup access to the ASA based on membership in the domain security group?
01-30-2018 06:01 AM
You can use radius. You could activate the Network Policy and Access Services role on your DC.
You can then configure a policy to permit the desired groups to access the ASA.
01-30-2018 08:32 AM - edited 01-30-2018 08:33 AM
Hi nshchukin ,
LDAP Server , What is the version of windows server ? and you enable LDAP over SSL or not while configure ?
I implement same situation but not working for TLS 1.2 on LDAP
02-01-2018 12:38 AM
02-01-2018 01:24 AM
02-01-2018 09:31 AM
I do not remember, since I set up the NAP for a long time. How can I check this?
04-19-2018 02:40 AM
It was possible to solve the problem without using the Radius-server.
I added a line:
aaa authorization http console Cisco_ASA_Admins
Now access to ASDM is allowed only for the group Cisco_ASA_Admins.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide