Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA Local


I have defined on a router 2 usernames: admin and vpn.

I want the user admin to be the only accepted by the router to login for administrative purposes, whereas the vpn user must be the only one accepted for VPN remote access to the local LAN.

The authentication and the authorization has to be performed using ONLY local database configured on the router

So far i have defined this:

aaa authentication login default local

aaa authorization exec default local

aaa authorization network vpn-group local


username admin privilege 15

username vpn privilege 1


crypto isakmp profile Ike-1

match identity group remote

client authentication list vpn-group

isakmp authorization list vpn-group

I have seen however the user vpn is allowed to login to the the router and also the admin is allowed to establish a VPN tunnel if successfully authenticated.

Does anybody can enlight me?

Thank you anticipately

New Member

Re: AAA Local


As per the configuration VPN users will also be authenticated to login in router with privillage level 1.

Can you clear your query what exactly u need to do ?


New Member

Re: AAA Local

I wish to achieve this:

the only userid accepted, when authenticating with the VPN client to the router, must be the vpn user, the admin user must be rejected.

The vpn user then will be granted acces to the local resources.

At this point, if a connection to the router is needed (for troubleshooting or changes to the config), i want ONLY the only userid admin accepted.

In short: admin user has be used only to work on the router, vpn user only to gain access to local remote network

Thank you anticipately