We have a Cisco ASA that is integrated with eDirectory for LDAP
authentication of VPN users. I have a need to prevent one OU of users
in eDirectory from being able to login using the VPN client. When they
are inside the office on the MPLS network, we want to allow
authentications, but if the request comes from our firewall we'd like to
prevent them.

I opened an SR on this and the answer I got was not ideal so I'm just
making sure the gurus in the field concur. I see where in ConsoleOne or
iManager I can add Allowed Addresses, but only one at a time. There is
no place I can find that would restrict from a single IP such as the
inside interface of our firewall. That is the most idea situation
because then the rest of our MPLS network would work fine for these

Second best would probably be to allow them from within specific ranges
of IPs such as and That will allow the users
to authenticate to eDirectory any time they are in our offices on the
MPLS network, but from outside the VPN would not work because it is not
coming from one of these addresses.

As a last resort, I could add individual IPs from which the users are
allowed to logon. This is where NTS is pointing me but it will be
painful. I have to enter each and every one of the 255 IPs on the OU
object Restrictions tab.

Someone please tell me there is a better way!

sinnwellr's Profile: https://forums.netiq.com/member.php?userid=158
View this thread: https://forums.netiq.com/showthread.php?t=47421