ASA server allows every user in Active Directory to get in!

Discussion in 'Cisco' started by Richard Herb, Jan 16, 2008.

  1. Richard Herb

    Richard Herb Guest

    ASA server allows every user in active directory to get in.

    Thats how my boss set it up. ALL 400 USER ID'S CAN GET IN using
    radius, but only 29 people need to.

    He has left the company, and I want to limit access to an AD group.

    I have created an AD group called "VPN access" and added the 29 people
    to the group.

    how can I limit VPN access to people that are in the group "VPN
    access" ?

    We are using Cisco ASDM 5.2 for ASA, and I can do GUI only, no command
    line.

    (I have dyslexia and Cliphobia) (fear of command line)

    Thanks
     
    Richard Herb, Jan 16, 2008
    #1
    1. Advertisements

  2. Richard Herb

    Trendkill Guest

    On Jan 16, 10:23 am, Richard Herb <> wrote:
    > ASA server allows every user in active directory to get in.
    >
    > Thats how my boss set it up. ALL 400 USER ID'S CAN GET IN using
    > radius, but only 29 people need to.
    >
    > He has left the company, and I want to limit access to an AD group.
    >
    > I have created an AD group called "VPN access" and added the 29 people
    > to the group.
    >
    > how can I limit VPN access to people that are in the group "VPN
    > access" ?
    >
    > We are using Cisco ASDM 5.2 for ASA, and I can do GUI only, no command
    > line.
    >
    > (I have dyslexia and Cliphobia) (fear of command line)
    >
    > Thanks


    You need to find the group setup screen (unsure of its exact location
    on the GUI), and you should be able to find the Cisco group account
    that should reference A/D authentication in its setup/configuration.
    Hopefully it has a drop down with which existing A/D group it is using
    as its basis, and you should select your new group from the drop
    down. At least this is how it would be done on a VPN concentrator, so
    I assume its very similar on the ASA. Let us know how you fare.
     
    Trendkill, Jan 16, 2008
    #2
    1. Advertisements

  3. Richard Herb

    Brian V Guest

    "Richard Herb" <> wrote in message
    news:...
    > ASA server allows every user in active directory to get in.
    >
    > Thats how my boss set it up. ALL 400 USER ID'S CAN GET IN using
    > radius, but only 29 people need to.
    >
    > He has left the company, and I want to limit access to an AD group.
    >
    > I have created an AD group called "VPN access" and added the 29 people
    > to the group.
    >
    > how can I limit VPN access to people that are in the group "VPN
    > access" ?
    >
    > We are using Cisco ASDM 5.2 for ASA, and I can do GUI only, no command
    > line.
    >
    > (I have dyslexia and Cliphobia) (fear of command line)
    >
    > Thanks
    >


    Set it up for Radius auth. Install IAS on the DC and point it to that group.
    I don't believe there is a way to limit it by using direct AD auth.
     
    Brian V, Jan 16, 2008
    #3
  4. Richard Herb

    Chad Mahoney Guest

    Richard Herb wrote:
    > ASA server allows every user in active directory to get in.
    >
    > Thats how my boss set it up. ALL 400 USER ID'S CAN GET IN using
    > radius, but only 29 people need to.
    >
    > He has left the company, and I want to limit access to an AD group.
    >
    > I have created an AD group called "VPN access" and added the 29 people
    > to the group.
    >
    > how can I limit VPN access to people that are in the group "VPN
    > access" ?
    >
    > We are using Cisco ASDM 5.2 for ASA, and I can do GUI only, no command
    > line.
    >
    > (I have dyslexia and Cliphobia) (fear of command line)
    >
    > Thanks
    >


    In the ADSM,
    Goto the configuration button, select the properties button on the right
    hand side, it will display AAA setup, select the AAA Server Groups, this
    will show the server that is running the radius on it by IP. Edit the
    servers properties, and you then need to change the base DN name that is
    defining what OU you are allowing access to the the firewall. ie.
    OU=vpn, OU=users, OU=companyname, dc=domain,dc=local

    Currently it is probably pointing to the OU that holds all your user
    accounts.


    HTH,

    Chad
     
    Chad Mahoney, Jan 17, 2008
    #4
  5. Richard Herb

    Richard Herb Guest

    thanks Chad
     
    Richard Herb, Feb 14, 2008
    #5
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?U3VzaGls?=
    Replies:
    1
    Views:
    832
    Wayne
    Feb 16, 2006
  2. UBEST
    Replies:
    5
    Views:
    25,318
    bmille6
    Mar 24, 2008
  3. Matt

    Active Directory User Management

    Matt, Aug 26, 2004, in forum: NZ Computing
    Replies:
    1
    Views:
    394
    Dave - Dave.net.nz
    Aug 26, 2004
  4. ted

    ASA 55xx oid active user

    ted, Nov 5, 2008, in forum: Cisco
    Replies:
    0
    Views:
    1,001
  5. keith chilton
    Replies:
    5
    Views:
    2,813
    John R
    Feb 8, 2008
Loading...

Share This Page