Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Allow WebVPN without granting ASA/ASDM/CLI access

Is there a way to allow users WebVPN (SSL) access through the ASA (8.2.1) without allowing them to connect via ASDM, SSH, Telnet or CLI? I would like to prevent my VPN users from accessing the configuration of the firewall.

I see in ASDM that there's some wording about 'this is effective only if AAA authenticate console command is configured' but I don't understand what it's explaining.

Thanks in advance,

Greg

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Allow WebVPN without granting ASA/ASDM/CLI access

You can restrict local users with the following:

username attributes

service-type remote-access

You need the aaa autenticate console commands because when its not defined you can come in as the default username (pix) or no username at all and the enable password (in the case of ASDM). If there is no username sent, then we obviously can't check for the "service-type" option in the username attributes. Here is some more information about the "aaa authenticate console" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535834

-heather

2 REPLIES
Cisco Employee

Re: Allow WebVPN without granting ASA/ASDM/CLI access

You can restrict local users with the following:

username attributes

service-type remote-access

You need the aaa autenticate console commands because when its not defined you can come in as the default username (pix) or no username at all and the enable password (in the case of ASDM). If there is no username sent, then we obviously can't check for the "service-type" option in the username attributes. Here is some more information about the "aaa authenticate console" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535834

-heather

Community Member

Re: Allow WebVPN without granting ASA/ASDM/CLI access

Based on your post, Heather, I ended up setting the priviledge for my VPN users to 0. This allows them to connect to the webvpn interface. It also allows them to connect to the ASA, but with extremely restrictive read-only rights.

I think the info you provided me would do exactly what I want, but my end solution is simpler and more straightforward to configure/maintain.

Thanks,

Greg

337
Views
0
Helpful
2
Replies
CreatePlease to create content