AAA Local

Unanswered Question
Dec 6th, 2008
User Badges:


I have defined on a router 2 usernames: admin and vpn.

I want the user admin to be the only accepted by the router to login for administrative purposes, whereas the vpn user must be the only one accepted for VPN remote access to the local LAN.

The authentication and the authorization has to be performed using ONLY local database configured on the router

So far i have defined this:

aaa authentication login default local

aaa authorization exec default local

aaa authorization network vpn-group local


username admin privilege 15

username vpn privilege 1


crypto isakmp profile Ike-1

match identity group remote

client authentication list vpn-group

isakmp authorization list vpn-group

I have seen however the user vpn is allowed to login to the the router and also the admin is allowed to establish a VPN tunnel if successfully authenticated.

Does anybody can enlight me?

Thank you anticipately

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ganeshhiyer Sun, 12/07/2008 - 23:24
User Badges:


As per the configuration VPN users will also be authenticated to login in router with privillage level 1.

Can you clear your query what exactly u need to do ?


Carlo Zaina Mon, 12/08/2008 - 11:50
User Badges:

I wish to achieve this:

the only userid accepted, when authenticating with the VPN client to the router, must be the vpn user, the admin user must be rejected.

The vpn user then will be granted acces to the local resources.

At this point, if a connection to the router is needed (for troubleshooting or changes to the config), i want ONLY the only userid admin accepted.

In short: admin user has be used only to work on the router, vpn user only to gain access to local remote network

Thank you anticipately



This Discussion