I am in the midst of implementing easy vpn for remote access on PIX 6.3(5) with local authentication. How can I utilize the local database for both CLI authentication and VPN auth while preventing VPN users from having the capability of logging into the PIX?
I've looked at privilege levels, but haven't found a way to prevent login.
I thought of that, but the problem is that the users that will utilize the VPN's are part of the IT staff, and will be on the inside of the network on the mgmt segment. I need to control this with privileges or aaa. Any other way to do this?
I have a very similar issue in a slightly different scenario - I have an ASA 5510 running 7.2(2) that is configured for TACACS+ authentication. This works fine, but the backend server (Cisco SecureACS) authenticates any user in the ACS database and allows them to login to my ASA. I want to use this backend server (via RADIUS) to authenticate WebVPN users, but prevent the same users from getting an EXEC prompt (via TACACS+).
It seems we should be able to restrict this type of access at the user-level, not just source IP filtering.
Ok, then create two server groups, WebVPN will be authenticated on one, and the admins on the other. Note that in this scenario, a remote user can authenticate on the machine if it is an admin (first the VPN credentials then the login one). At least for VPN Client remote access works.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :