Here is what you need to do:
1. Understand what attribute you are using to trigger a role (aaa query-user)
2. Configure the default role to "no access":
3. Create a server derivation rule in the server group to translate the attribute to a management role
1. Execute the command below and see what AD groups the user is a part of (memberOf is normally used)
aaa query-user <name of ldap server> <username of user>
2. Set the default role to no-access, so that users that pass AD authentication, but do not passyour rule below do not get in:
3. Under the server rules, I created a rule to see if my AD user is part of the AD group Admin. If that is true, it will give me root privileges when I login. memberOf, the ldap attribute usually contains the AD group membership and that is what I used in this case.
*please ignore that I have a radius server here in the server group. It should be an LDAP server.
#7210