01-08-2007 08:52 AM - edited 03-10-2019 02:54 PM
I am in the midst of implementing easy vpn for remote access on PIX 6.3(5) with local authentication. How can I utilize the local database for both CLI authentication and VPN auth while preventing VPN users from having the capability of logging into the PIX?
I've looked at privilege levels, but haven't found a way to prevent login.
Thanks,
Jeff
01-08-2007 09:03 AM
Hi Jeff,
The answer is simple, limit the ssh/telnet allowed networks only to the lan netwok, and not include the vpn pool,ie:
ssh inside 192.168.9.x 255.255.255.255
And have the vpn pool as 192.168.10.x.
They will be allowed to connect.
However, i strongly recommend you to use a radius/tacacs server for the remote vpn.
Please rate if this helped.
Regards,
Daniel
01-09-2007 11:14 AM
Daniel,
I thought of that, but the problem is that the users that will utilize the VPN's are part of the IT staff, and will be on the inside of the network on the mgmt segment. I need to control this with privileges or aaa. Any other way to do this?
Thanks.
01-08-2007 01:32 PM
I have a very similar issue in a slightly different scenario - I have an ASA 5510 running 7.2(2) that is configured for TACACS+ authentication. This works fine, but the backend server (Cisco SecureACS) authenticates any user in the ACS database and allows them to login to my ASA. I want to use this backend server (via RADIUS) to authenticate WebVPN users, but prevent the same users from getting an EXEC prompt (via TACACS+).
It seems we should be able to restrict this type of access at the user-level, not just source IP filtering.
01-08-2007 11:03 PM
Hi,
Use the following command:
aaa authentication ssh console LOCAL
This will mean the ssh access will be checked on the local usernames, and not with RADIUS.
Please rate if this helped.
Regards,
Daniel
01-09-2007 07:49 AM
I *want* SSH to use TACACS+ for authentication, I just don't want all my RADIUS users to be TACACS+ users.
01-09-2007 12:19 PM
Ok, then create two server groups, WebVPN will be authenticated on one, and the admins on the other. Note that in this scenario, a remote user can authenticate on the machine if it is an admin (first the VPN credentials then the login one). At least for VPN Client remote access works.
The following document is a good start:
Please rate if this helps.
Regards,
Daniel
01-09-2007 02:28 PM
To prevent users from accessing shell and at the same time allow them on Vpn into the same device :-
The device would have two entries in the Network Configuration of ACS. One would be set to Authenticate Using Radius and another would be set to Authenticate using Tacacs+.
For the group which needs VPN access and not shell access apply a Network Access Restriction (NAR) and deny access to the device entry which is set to Authenticate using Tacacs.
So the users will be able to login to Vpn using Radius but not to shell since it uses Tacacs in our case.
Regards,
Vivek
01-22-2007 01:25 AM
Hello, Jeff!
You are on the right track. First you have to set the privilege level and then you have to use the following command:
aaa authorization command LOCAL
That is, if your users are local on the PIX.
Check the following for more details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: