Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Allow users to authenticate on VPN but not login to devices

How can I permit a user to authenticate via VPN but not have command line or ASDM access?

The default device admin authorization policy is PermitAccess DenyAllCommands, this allows them to connect via VPN but ALSO allows then to login to the network endpoints and firewalls.                  

Everyone's tags (6)
1 REPLY
Silver

Allow users to authenticate on VPN but not login to devices

Hi there,

You can configure the ACS to send back the Service type Outbound to allow only VPN access:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

"Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the

aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote access (IPSec and SSL) users  can still authenticate and terminate their remote access sessions. "

This attribute is configured under Policy Elements.

Let me know if it helps.

354
Views
0
Helpful
1
Replies
CreatePlease login to create content