How to control SSH access via LDAP?
I have an ASA and LDAP server. I am doing all my authentications with this LDAP server, even SSH.
The problem I ran into is: all my authenticated users are able to SSH my ASA. While I want only few users to have admin access to ASA, probably a group of users.
I have created an admin group in LDAP and only those users should be able to login to ASA and no one else.
SOLUTION:
This is how I fixed it:
I already had authentication server group configured on ASA that is being used for authentication.
I created an LDAP attribute map to match the "memberOf" attribute sent from server and then assign a service-type 6.
Example:
ldap
attribute-map mymap
map-name
memberOf IETF-Radius-Service-Type
map-value
memberOf CN=Admin,OU=acb,OU=Loc,DC=test,DC=com 6
Apply the ldap attribute map in aaa server group that is being used for authentication.
With this, if a user is a member of Admin group then only he/she will be allowed to SSH to the device otherwise not.
If you are still unable to make it work then please post your comment and I should be able to help you out.
0 comments:
Post a Comment