05-23-2009 08:23 AM - edited 03-11-2019 08:35 AM
I create a username on the ASA for the purpose of providing VPN access...
username vpnuser1 password <removed> encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy remoteaccess
vpn-tunnel-protocol IPSec
group-lock value remoteaccess
Note that in the above, "remoteaccess" is the name of the VPN group policy.
It works fine and user can VPN. The problem is, that username ALSO works for logging in to the CLI which I do not want. How can this be fixed?
05-23-2009 08:06 PM
I am interested to find this out also. telnet/ssh access is restricted to a specific IP, but this doesn't stop a user from logging in from the console.
05-26-2009 05:32 AM
You can set the attributes of the user to be a remote access client only.
ciscoasa(config)#username matthewp password p@ssw0rd
ciscoasa(config)#username matthewp attributes
ciscoasa(config-username)#service-type remote-access
!--- Assign user remote access only. No SSH, Telnet, ASDM access allowed.
ciscoasa(config-username)#write memory
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
Hope that helps.
06-08-2009 01:13 AM
Thanks. That's the answer I was looking for.
06-23-2009 09:43 PM
Unfortunately this does not appear to work.
I can still access the asa via ssh/asdm from the inside, using an account I created for VPN.
I want all users to be able to use remote VPN, but I also want only some of those users to be able to access the ASDM from the inside LAN(DHCP)
The only choice I'm left with is assigning static IP's to certain users, and locking down the management access per IP. Just not ideal for my situation.
I'm using aaa local
06-28-2009 09:36 PM
Actually it does work. I had just neglected to add
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
05-26-2009 06:26 AM
BY CLI - do you mean SSH/Telnet or Console ?
Have you enabled AAA on the Device?
06-08-2009 01:13 AM
CLI = Command Line Interface (SSH, Telnet, Console.)
As opposed to the GUI = Graphical User Interface.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: