Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

local username database, restrict user access to cli

Hello,

I am interesting if it is possible to restrict cli access to users from local database, they should be working only for EasyVPN ?

Is it possible to do this without exsternal db ?

  • AAA Identity and NAC
7 REPLIES
Cisco Employee

local username database, restrict user access to cli

Could you elaborate your question?

What device are we using for authenticating users like version, model, platform?

Which CLI access are you refering here...CLI access to your switches/routers/firewalls?

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
New Member

local username database, restrict user access to cli

Hello Jatin,

I am using 3945E Router as Easy VPN Server, with 15.1 IOS. On router I have bunch on usernames for VPN authentication, I want to restrict Router management access for them(ssh,telnet, http and so on).

Cisco Employee

local username database, restrict user access to cli

You can setup local command authorization for the same.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

local username database, restrict user access to cli

how can I use these command ?

New Member

local username database, restrict user access to cli

Hello,

Early I saw one example when it was done with aaa atribute list, and it was working, but on 3945E it is not working.

Here is example :

aaa new-model

!

aaa authentication login ezvpn_users local

aaa authorization network ezvpn_users local

!

aaa attribute list ezvpn_users

attribute type service-type noopt service shell mandatory

!

username user1 password 0 superpasword

username user1 aaa attribute list ezvpn_users

!

Do you have some  information about it ?

New Member

local username database, restrict user access to cli

try

"aaa authorization exec default local"

New Member

local username database, restrict user access to cli

I think there is an easy way

define the user with privilege 0

That should do

Users can still login but they cant access/manage the router

719
Views
3
Helpful
7
Replies
This widget could not be displayed.