cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1637
Views
3
Helpful
7
Replies

local username database, restrict user access to cli

ngtransge
Level 1
Level 1

Hello,

I am interesting if it is possible to restrict cli access to users from local database, they should be working only for EasyVPN ?

Is it possible to do this without exsternal db ?

7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

Could you elaborate your question?

What device are we using for authenticating users like version, model, platform?

Which CLI access are you refering here...CLI access to your switches/routers/firewalls?

Regards,

Jatin

~Jatin

Hello Jatin,

I am using 3945E Router as Easy VPN Server, with 15.1 IOS. On router I have bunch on usernames for VPN authentication, I want to restrict Router management access for them(ssh,telnet, http and so on).

You can setup local command authorization for the same.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Regards,

Jatin

Do rate helpful posts-

~Jatin

how can I use these command ?

Hello,

Early I saw one example when it was done with aaa atribute list, and it was working, but on 3945E it is not working.

Here is example :

aaa new-model

!

aaa authentication login ezvpn_users local

aaa authorization network ezvpn_users local

!

aaa attribute list ezvpn_users

attribute type service-type noopt service shell mandatory

!

username user1 password 0 superpasword

username user1 aaa attribute list ezvpn_users

!

Do you have some  information about it ?

try

"aaa authorization exec default local"

I think there is an easy way

define the user with privilege 0

That should do

Users can still login but they cant access/manage the router

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: