VPN user ASA login

Unanswered Question
Mar 12th, 2010

I want to create a user, who can login to VPN however who is not able to login to ASA CLI or web management to view configuration. How do I achieve that? Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 03/12/2010 - 08:28


Let's say that you have a local user configured on the ASA named cisco.

username cisco password xxxxxxx

You can restrict that user for only remote access by doing the following:

username cisco attributes

service-type remote-access


leos.pohl Fri, 03/12/2010 - 09:06

Thank you for the reply. This is what I actually tried, show run gives for that user:

username cisco password abcabcabc encrypted
username cisco attributes
service-type remote-access

Despite that the user can log to the cli of ASA and execute enable and e.g. show run which is very unwanted.

Any more ideas?

Federico Coto F... Fri, 03/12/2010 - 09:17

Is the user cisco member of the tunnel-group which you're connecting to?

username cisco password y9eO2nLogN8cTflM encrypted
username cisco attributes
service-type remote-access
memberof cisco

tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool newpool


leos.pohl Fri, 03/12/2010 - 09:24

I just made him member of that group, however no change, he can still login to the cli and do all the unwanted stuff.

Federico Coto F... Fri, 03/12/2010 - 09:34

I believe that if you lock that user to that group, you can restrict it.

username cisco attributes
service-type remote-access
memberof cisco

group-lock value cisco


Federico Coto F... Fri, 03/12/2010 - 13:36

You can also configure privileges, so that a user can only access the ASA but only user mode (cannot modify any settings).

Now, no matter which user the VPN client connects with, in order to access the ASA, it stilll needs the enable password correct?

You can have the VPN clients connecting, withouth them knowing how to get into privilege mode of the ASA, because they lack the enable password.


Mark Walters Fri, 06/18/2010 - 22:14

The original "remote-access" attribute answer was correct, but that command assumes that you are using AAA for login management of the ASA.  Ensure that AAA authentication and authorization are enabled on the ASA (as opposed to just telnet-ing in with the 'password xyz' command).

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authorization exec LOCAL


username testRAS password yLRmYA5FRKBhsE1j encrypted privilege 0

username testRAS attributes

service-type remote-access


telnet (asa)

Username: testRAS

Password: ******

[ testRAS ] You do NOT have Admin Rights to the console !

londonlinen Wed, 05/07/2014 - 09:14

I got your answer on this page under heading "Add/Edit User Account > Identity"


It says,

Access Restriction—This section sets the management access level for a user. You must first enable management authorization using the Perform authorization for exec shell access option on the Configuration > Device Management > Users/AAA > AAA Access > Authorization tab.

So, I first enabled "perform authorization for exec sheel access" under Device Management>AAA Access>Authorization Tab and then I set the user to er to 'No access to ASDM' under User Accounts.



This Discussion