Configure usernames on ASA for VPN but prohibit CLI access

Unanswered Question
May 23rd, 2009
User Badges:

I create a username on the ASA for the purpose of providing VPN access...

username vpnuser1 password <removed> encrypted privilege 0

username vpnuser1 attributes

vpn-group-policy remoteaccess

vpn-tunnel-protocol IPSec

group-lock value remoteaccess

Note that in the above, "remoteaccess" is the name of the VPN group policy.

It works fine and user can VPN. The problem is, that username ALSO works for logging in to the CLI which I do not want. How can this be fixed?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
tf2-conky Sat, 05/23/2009 - 20:06
User Badges:

I am interested to find this out also. telnet/ssh access is restricted to a specific IP, but this doesn't stop a user from logging in from the console.

Collin Clark Tue, 05/26/2009 - 05:32
User Badges:
  • Purple, 4500 points or more

You can set the attributes of the user to be a remote access client only.

<b><font size="2" > </p><p>ciscoasa(config)#username matthewp password [email protected]</p><p>ciscoasa(config)#username matthewp attributes</p><p>ciscoasa(config-username)#service-type remote-access</p><p><font color="blue"> </p><p>!--- Assign user remote access only. No SSH, Telnet, ASDM access allowed.</p><p> </font></p><p>ciscoasa(config-username)#write memory</p><p></p><p></b>

Hope that helps.

tf2-conky Tue, 06/23/2009 - 21:43
User Badges:

Unfortunately this does not appear to work.

I can still access the asa via ssh/asdm from the inside, using an account I created for VPN.

I want all users to be able to use remote VPN, but I also want only some of those users to be able to access the ASDM from the inside LAN(DHCP)

The only choice I'm left with is assigning static IP's to certain users, and locking down the management access per IP. Just not ideal for my situation.

I'm using aaa local

tf2-conky Sun, 06/28/2009 - 21:36
User Badges:

Actually it does work. I had just neglected to add

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

meetnauman Tue, 05/26/2009 - 06:26
User Badges:

BY CLI - do you mean SSH/Telnet or Console ?

Have you enabled AAA on the Device?

jeremyault Mon, 06/08/2009 - 01:13
User Badges:

CLI = Command Line Interface (SSH, Telnet, Console.)

As opposed to the GUI = Graphical User Interface.


This Discussion