topic Re: Using LOCAL AAA for VPN access ONLY in Network Access Control

Using LOCAL AAA for VPN access ONLY

majedalanni — Mon, 11 Mar 2019 00:45:30 GMT

Hi there,

I would need to know If I create a user in AAA LOCAL database, how would this user use only authentication in VPN IPsec Client, I don't want this user access management console of my Cisco ASA 5520?

I tried to gave it privilage 0 and 1, block ASDM only

using no CLI, telnet, SSH I got nothing he can access every thing

Sorry for my bad English!

Mike

Re: Using LOCAL AAA for VPN access ONLY

Jatin Katyal — Wed, 26 Jan 2011 15:53:54 GMT

Well, you must be using TACACS for ASA management purpose. I mean you should have two entried for ASA as a tacacs client and as a radius clinet.

Tacacs for management and radius for VPN, if not then set it up that way.

After that go to user setup and use IP-BASED-NAR with action as denied.

Hope this helps.

Rgds,

Jatin

Do rate helpful posts-

Re: Using LOCAL AAA for VPN access ONLY

majedalanni — Wed, 26 Jan 2011 16:18:16 GMT

Thanks,

Another question, can I run Tacacs or radius localy in my ASA or should I use external server?

Mike

Re: Using LOCAL AAA for VPN access ONLY

Jatin Katyal — Wed, 26 Jan 2011 16:25:31 GMT

Well, the answer is NO. ASA itself can't act as radius or tacacs.

The only thing you can implement AAA authentication for local users.

like;

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

Hope this helps,

Rgds

Jatin

Do rate helpful posts-

Re: Using LOCAL AAA for VPN access ONLY

m.kafka — Fri, 28 Jan 2011 04:25:44 GMT

Hi majedalanni,

I've run across a user-config for VPN-only users :

username xxxx attributes
service-type remote-access (ASA 8.3, this is what I've got running)

on older versions it could be:

username xxxx attributes
service-type vpn

Look for the documentation of "username attributes" for more details.

Hope that solves your challenge

Rgds, MiKa