Configure usernames on ASA for VPN but prohibit CLI access

Unanswered Question
May 23rd, 2009

I create a username on the ASA for the purpose of providing VPN access...

username vpnuser1 password <removed> encrypted privilege 0

username vpnuser1 attributes

vpn-group-policy remoteaccess

vpn-tunnel-protocol IPSec

group-lock value remoteaccess

Note that in the above, "remoteaccess" is the name of the VPN group policy.

It works fine and user can VPN. The problem is, that username ALSO works for logging in to the CLI which I do not want. How can this be fixed?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
tf2-conky Sat, 05/23/2009 - 20:06

I am interested to find this out also. telnet/ssh access is restricted to a specific IP, but this doesn't stop a user from logging in from the console.

Collin Clark Tue, 05/26/2009 - 05:32

You can set the attributes of the user to be a remote access client only.

<b><font size="2" > </p><p>ciscoasa(config)#username matthewp password [email protected]</p><p>ciscoasa(config)#username matthewp attributes</p><p>ciscoasa(config-username)#service-type remote-access</p><p><font color="blue"> </p><p>!--- Assign user remote access only. No SSH, Telnet, ASDM access allowed.</p><p> </font></p><p>ciscoasa(config-username)#write memory</p><p></p><p></b>

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Hope that helps.

tf2-conky Tue, 06/23/2009 - 21:43

Unfortunately this does not appear to work.

I can still access the asa via ssh/asdm from the inside, using an account I created for VPN.

I want all users to be able to use remote VPN, but I also want only some of those users to be able to access the ASDM from the inside LAN(DHCP)

The only choice I'm left with is assigning static IP's to certain users, and locking down the management access per IP. Just not ideal for my situation.

I'm using aaa local

tf2-conky Sun, 06/28/2009 - 21:36

Actually it does work. I had just neglected to add

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

meetnauman Tue, 05/26/2009 - 06:26

BY CLI - do you mean SSH/Telnet or Console ?

Have you enabled AAA on the Device?

jeremyault Mon, 06/08/2009 - 01:13

CLI = Command Line Interface (SSH, Telnet, Console.)

As opposed to the GUI = Graphical User Interface.

Actions

This Discussion