VPN user ASA login

leos.pohl · ‎03-12-2010

I want to create a user, who can login to VPN however who is not able to login to ASA CLI or web management to view configuration. How do I achieve that? Thank you.

Federico Coto Fajardo · ‎03-12-2010

Hi,

Let's say that you have a local user configured on the ASA named cisco.

username cisco password xxxxxxx

You can restrict that user for only remote access by doing the following:

username cisco attributes

service-type remote-access

Federico.

leos.pohl · ‎03-12-2010

Thank you for the reply. This is what I actually tried, show run gives for that user:

username cisco password abcabcabc encrypted
username cisco attributes
service-type remote-access

Despite that the user can log to the cli of ASA and execute enable and e.g. show run which is very unwanted.

Any more ideas?

Federico Coto Fajardo · ‎03-12-2010

Is the user cisco member of the tunnel-group which you're connecting to?

username cisco password y9eO2nLogN8cTflM encrypted
username cisco attributes
service-type remote-access
memberof cisco

tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool newpool

Federico.

leos.pohl · ‎03-12-2010

I just made him member of that group, however no change, he can still login to the cli and do all the unwanted stuff.

Federico Coto Fajardo · ‎03-12-2010

I believe that if you lock that user to that group, you can restrict it.

username cisco attributes
service-type remote-access
memberof cisco

group-lock value cisco

Federico.

leos.pohl · ‎03-12-2010

No luck. He can still login. Any more ideas?

Federico Coto Fajardo · ‎03-12-2010

You can also configure privileges, so that a user can only access the ASA but only user mode (cannot modify any settings).

Now, no matter which user the VPN client connects with, in order to access the ASA, it stilll needs the enable password correct?

You can have the VPN clients connecting, withouth them knowing how to get into privilege mode of the ASA, because they lack the enable password.

Federico.

Mark Walters · ‎06-18-2010

The original "remote-access" attribute answer was correct, but that command assumes that you are using AAA for login management of the ASA. Ensure that AAA authentication and authorization are enabled on the ASA (as opposed to just telnet-ing in with the 'password xyz' command).

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authorization exec LOCAL

!

username testRAS password yLRmYA5FRKBhsE1j encrypted privilege 0

username testRAS attributes

service-type remote-access

-------------------------

telnet 192.168.1.1 (asa)

Username: testRAS

Password: ******

[ testRAS ] You do NOT have Admin Rights to the console !

Cheers,

Mark

londonlinen · ‎05-07-2014

I got your answer on this page under heading "Add/Edit User Account > Identity"

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html

It says,

Access Restriction—This section sets the management access level for a user. You must first enable management authorization using the Perform authorization for exec shell access option on the Configuration > Device Management > Users/AAA > AAA Access > Authorization tab.

So, I first enabled "perform authorization for exec sheel access" under Device Management>AAA Access>Authorization Tab and then I set the user to er to 'No access to ASDM' under User Accounts.