cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
10
Helpful
7
Replies

Configure usernames on ASA for VPN but prohibit CLI access

jeremyault
Level 1
Level 1

I create a username on the ASA for the purpose of providing VPN access...

username vpnuser1 password <removed> encrypted privilege 0

username vpnuser1 attributes

vpn-group-policy remoteaccess

vpn-tunnel-protocol IPSec

group-lock value remoteaccess

Note that in the above, "remoteaccess" is the name of the VPN group policy.

It works fine and user can VPN. The problem is, that username ALSO works for logging in to the CLI which I do not want. How can this be fixed?

7 Replies 7

tf2-conky
Level 1
Level 1

I am interested to find this out also. telnet/ssh access is restricted to a specific IP, but this doesn't stop a user from logging in from the console.

Collin Clark
VIP Alumni
VIP Alumni

You can set the attributes of the user to be a remote access client only.

ciscoasa(config)#username matthewp password p@ssw0rd

ciscoasa(config)#username matthewp attributes

ciscoasa(config-username)#service-type remote-access

!--- Assign user remote access only. No SSH, Telnet, ASDM access allowed.

ciscoasa(config-username)#write memory

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Hope that helps.

Thanks. That's the answer I was looking for.

Unfortunately this does not appear to work.

I can still access the asa via ssh/asdm from the inside, using an account I created for VPN.

I want all users to be able to use remote VPN, but I also want only some of those users to be able to access the ASDM from the inside LAN(DHCP)

The only choice I'm left with is assigning static IP's to certain users, and locking down the management access per IP. Just not ideal for my situation.

I'm using aaa local

Actually it does work. I had just neglected to add

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

meetnauman
Level 1
Level 1

BY CLI - do you mean SSH/Telnet or Console ?

Have you enabled AAA on the Device?

CLI = Command Line Interface (SSH, Telnet, Console.)

As opposed to the GUI = Graphical User Interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: