ASA server allows every user in Active Directory to get in!

You need to find the group setup screen (unsure of its exact location on the GUI), and you should be able to find the Cisco group account that should reference A/D authentication in its setup/configuration. Hopefully it has a drop down with which existing A/D group it is using as its basis, and you should select your new group from the drop down. At least this is how it would be done on a VPN concentrator, so I assume its very similar on the ASA. Let us know how you fare.

Set it up for Radius auth. Install IAS on the DC and point it to that group. I don't believe there is a way to limit it by using direct AD auth.

In the ADSM, Goto the configuration button, select the properties button on the right hand side, it will display AAA setup, select the AAA Server Groups, this will show the server that is running the radius on it by IP. Edit the servers properties, and you then need to change the base DN name that is defining what OU you are allowing access to the the firewall. ie. OU=vpn, OU=users, OU=companyname, dc=domain,dc=local

Currently it is probably pointing to the OU that holds all your user accounts.

HTH,

Chad

thanks Chad