Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure usernames on ASA for VPN but prohibit CLI access

I create a username on the ASA for the purpose of providing VPN access...

username vpnuser1 password <removed> encrypted privilege 0

username vpnuser1 attributes

vpn-group-policy remoteaccess

vpn-tunnel-protocol IPSec

group-lock value remoteaccess

Note that in the above, "remoteaccess" is the name of the VPN group policy.

It works fine and user can VPN. The problem is, that username ALSO works for logging in to the CLI which I do not want. How can this be fixed?

7 REPLIES
New Member

Re: Configure usernames on ASA for VPN but prohibit CLI access

I am interested to find this out also. telnet/ssh access is restricted to a specific IP, but this doesn't stop a user from logging in from the console.

Re: Configure usernames on ASA for VPN but prohibit CLI access

You can set the attributes of the user to be a remote access client only.

ciscoasa(config)#username matthewp password p@ssw0rd

ciscoasa(config)#username matthewp attributes

ciscoasa(config-username)#service-type remote-access

!--- Assign user remote access only. No SSH, Telnet, ASDM access allowed.

ciscoasa(config-username)#write memory

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Hope that helps.

New Member

Re: Configure usernames on ASA for VPN but prohibit CLI access

Thanks. That's the answer I was looking for.

New Member

Re: Configure usernames on ASA for VPN but prohibit CLI access

Unfortunately this does not appear to work.

I can still access the asa via ssh/asdm from the inside, using an account I created for VPN.

I want all users to be able to use remote VPN, but I also want only some of those users to be able to access the ASDM from the inside LAN(DHCP)

The only choice I'm left with is assigning static IP's to certain users, and locking down the management access per IP. Just not ideal for my situation.

I'm using aaa local

New Member

Re: Configure usernames on ASA for VPN but prohibit CLI access

Actually it does work. I had just neglected to add

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

New Member

Re: Configure usernames on ASA for VPN but prohibit CLI access

BY CLI - do you mean SSH/Telnet or Console ?

Have you enabled AAA on the Device?

New Member

Re: Configure usernames on ASA for VPN but prohibit CLI access

CLI = Command Line Interface (SSH, Telnet, Console.)

As opposed to the GUI = Graphical User Interface.

161
Views
10
Helpful
7
Replies
CreatePlease login to create content