Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
2
Replies

Allow WebVPN without granting ASA/ASDM/CLI access

Go to solution
gregbeifuss
Level 1
Level 1

‎11-05-2009 09:55 AM

Is there a way to allow users WebVPN (SSL) access through the ASA (8.2.1) without allowing them to connect via ASDM, SSH, Telnet or CLI? I would like to prevent my VPN users from accessing the configuration of the firewall.

I see in ASDM that there's some wording about 'this is effective only if AAA authenticate console command is configured' but I don't understand what it's explaining.

Thanks in advance,

Greg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎11-05-2009 11:15 AM

You can restrict local users with the following:

username attributes

service-type remote-access

You need the aaa autenticate console commands because when its not defined you can come in as the default username (pix) or no username at all and the enable password (in the case of ASDM). If there is no username sent, then we obviously can't check for the "service-type" option in the username attributes. Here is some more information about the "aaa authenticate console" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535834

-heather

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎11-05-2009 11:15 AM

You can restrict local users with the following:

username attributes

service-type remote-access

You need the aaa autenticate console commands because when its not defined you can come in as the default username (pix) or no username at all and the enable password (in the case of ASDM). If there is no username sent, then we obviously can't check for the "service-type" option in the username attributes. Here is some more information about the "aaa authenticate console" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535834

-heather

0 Helpful

Go to solution
gregbeifuss
Level 1
Level 1

‎11-06-2009 04:38 AM

Based on your post, Heather, I ended up setting the priviledge for my VPN users to 0. This allows them to connect to the webvpn interface. It also allows them to connect to the ASA, but with extremely restrictive read-only rights.

I think the info you provided me would do exactly what I want, but my end solution is simpler and more straightforward to configure/maintain.

Thanks,

Greg

0 Helpful
Customers Also Viewed These Support Documents