Re: PIX 6.3 allow VPN login but not SSH

jheckart · ‎01-08-2007

I am in the midst of implementing easy vpn for remote access on PIX 6.3(5) with local authentication. How can I utilize the local database for both CLI authentication and VPN auth while preventing VPN users from having the capability of logging into the PIX?

I've looked at privilege levels, but haven't found a way to prevent login.

Thanks,

Jeff

5220 · ‎01-08-2007

Hi Jeff,

The answer is simple, limit the ssh/telnet allowed networks only to the lan netwok, and not include the vpn pool,ie:

ssh inside 192.168.9.x 255.255.255.255

And have the vpn pool as 192.168.10.x.

They will be allowed to connect.

However, i strongly recommend you to use a radius/tacacs server for the remote vpn.

Please rate if this helped.

Regards,

Daniel

jheckart · ‎01-09-2007

Daniel,

I thought of that, but the problem is that the users that will utilize the VPN's are part of the IT staff, and will be on the inside of the network on the mgmt segment. I need to control this with privileges or aaa. Any other way to do this?

Thanks.

sstone · ‎01-08-2007

I have a very similar issue in a slightly different scenario - I have an ASA 5510 running 7.2(2) that is configured for TACACS+ authentication. This works fine, but the backend server (Cisco SecureACS) authenticates any user in the ACS database and allows them to login to my ASA. I want to use this backend server (via RADIUS) to authenticate WebVPN users, but prevent the same users from getting an EXEC prompt (via TACACS+).

It seems we should be able to restrict this type of access at the user-level, not just source IP filtering.

5220 · ‎01-08-2007

Hi,

Use the following command:

aaa authentication ssh console LOCAL

This will mean the ssh access will be checked on the local usernames, and not with RADIUS.

Please rate if this helped.

Regards,

Daniel

sstone · ‎01-09-2007

I *want* SSH to use TACACS+ for authentication, I just don't want all my RADIUS users to be TACACS+ users.

5220 · ‎01-09-2007

Ok, then create two server groups, WebVPN will be authenticated on one, and the admins on the other. Note that in this scenario, a remote user can authenticate on the machine if it is an admin (first the VPN credentials then the login one). At least for VPN Client remote access works.

The following document is a good start:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

Please rate if this helps.

Regards,

Daniel

Vivek Santuka · ‎01-09-2007

To prevent users from accessing shell and at the same time allow them on Vpn into the same device :-

The device would have two entries in the Network Configuration of ACS. One would be set to Authenticate Using Radius and another would be set to Authenticate using Tacacs+.

For the group which needs VPN access and not shell access apply a Network Access Restriction (NAR) and deny access to the device entry which is set to Authenticate using Tacacs.

So the users will be able to login to Vpn using Radius but not to shell since it uses Tacacs in our case.

Regards,

Vivek

maraz · ‎01-22-2007

Hello, Jeff!

You are on the right track. First you have to set the privilege level and then you have to use the following command:

aaa authorization command LOCAL

That is, if your users are local on the PIX.

Check the following for more details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml