https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976799#M202133 <HTML><HEAD></HEAD><BODY><P>I think there is an easy way</P><P></P><P>define the user with privilege 0</P><P></P><P>That should do</P><P></P><P>Users can still login but they cant access/manage the router</P></BODY></HTML> Sat, 20 Oct 2012 14:09:03 GMT bejoybkn1 2012-10-20T14:09:03Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976792#M202120 <P>Hello,</P><P></P><P></P><P>I am interesting if it is possible to restrict cli access to users from local database, they should be working only for EasyVPN ?</P><P>Is it possible to do this without exsternal db ?</P> Mon, 11 Mar 2019 02:14:05 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976792#M202120 ngtransge 2019-03-11T02:14:05Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976793#M202122 <HTML><HEAD></HEAD><BODY><P>Could you elaborate your question?</P><P></P><P>What device are we using for authenticating users like version, model, platform?</P><P>Which CLI access are you refering here...CLI access to your switches/routers/firewalls?</P><P></P><P>Regards,</P><P>Jatin</P></BODY></HTML> Mon, 25 Jun 2012 13:53:19 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976793#M202122 Jatin Katyal 2012-06-25T13:53:19Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976794#M202124 <HTML><HEAD></HEAD><BODY><P>Hello Jatin,</P><P></P><P></P><P>I am using 3945E Router as Easy VPN Server, with 15.1 IOS. On router I have bunch on usernames for VPN authentication, I want to restrict Router management access for them(ssh,telnet, http and so on). </P></BODY></HTML> Mon, 25 Jun 2012 16:21:55 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976794#M202124 ngtransge 2012-06-25T16:21:55Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976795#M202126 <HTML><HEAD></HEAD><BODY><P>You can setup local command authorization for the same.</P><P><A href="http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml" rel="nofollow">http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml</A></P><P></P><P></P><P>Regards,</P><P>Jatin</P><P></P><P></P><P>Do rate helpful posts-</P></BODY></HTML> Mon, 25 Jun 2012 20:09:47 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976795#M202126 Jatin Katyal 2012-06-25T20:09:47Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976796#M202128 <HTML><HEAD></HEAD><BODY><P>how can I use these command ?</P></BODY></HTML> Mon, 25 Jun 2012 21:19:00 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976796#M202128 ngtransge 2012-06-25T21:19:00Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976797#M202130 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P><SPAN style="background-color: #ffffff; font-family: Arial, verdana, sans-serif; font-size: 12px;">Early I saw one example when it was done with aaa atribute list, and it was working, but on 3945E it is not working.</SPAN></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Here is example :</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">aaa new-model</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">!</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">aaa authentication login ezvpn_users local</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">aaa authorization network ezvpn_users local</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">!</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">aaa attribute list ezvpn_users</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">attribute type service-type noopt service shell mandatory</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">!</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">username user1 password 0 superpasword</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">username user1 aaa attribute list ezvpn_users</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">!</P><P></P><P> Do you have some&nbsp; information about it ?</P></BODY></HTML> Wed, 27 Jun 2012 07:09:01 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976797#M202130 ngtransge 2012-06-27T07:09:01Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976798#M202132 <HTML><HEAD></HEAD><BODY><P>try</P><P></P><P>"aaa authorization exec default local"</P></BODY></HTML> Fri, 19 Oct 2012 13:12:07 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976798#M202132 Archil Sokhadze 2012-10-19T13:12:07Z https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976799#M202133 <HTML><HEAD></HEAD><BODY><P>I think there is an easy way</P><P></P><P>define the user with privilege 0</P><P></P><P>That should do</P><P></P><P>Users can still login but they cant access/manage the router</P></BODY></HTML> Sat, 20 Oct 2012 14:09:03 GMT https://community.cisco.com/t5/network-access-control/local-username-database-restrict-user-access-to-cli/m-p/1976799#M202133 bejoybkn1 2012-10-20T14:09:03Z