https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778903#M41359 <P>Dear Friends,</P> <P>I'm struggling with an issue.</P> <P>I've set up an ssl vpn (Anyconnect) on a cisco 2811 router. Because of certain limitations I can't setup a radius or tacacs server.</P> <P>my VTY line authentication is aaa login local</P> <P>I have some questions:</P> <P>1- can I set up accounts on the local database that can't login to the router (just be able to use the VPN)</P> <P>2- can I create an aaa authentication list that contain just some of the local usernames not all of them so I can limit the logins</P> <P>3- can I assign an access-list to a specific username? (username **** access-class ) didn't work for me when the user connects the anyconnect client! (WebVPN ACL applies)</P> <P>Please help me I'm struggling!!!&nbsp;</P> Mon, 11 Mar 2019 06:19:26 GMT shahab.66 2019-03-11T06:19:26Z https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778903#M41359 <P>Dear Friends,</P> <P>I'm struggling with an issue.</P> <P>I've set up an ssl vpn (Anyconnect) on a cisco 2811 router. Because of certain limitations I can't setup a radius or tacacs server.</P> <P>my VTY line authentication is aaa login local</P> <P>I have some questions:</P> <P>1- can I set up accounts on the local database that can't login to the router (just be able to use the VPN)</P> <P>2- can I create an aaa authentication list that contain just some of the local usernames not all of them so I can limit the logins</P> <P>3- can I assign an access-list to a specific username? (username **** access-class ) didn't work for me when the user connects the anyconnect client! (WebVPN ACL applies)</P> <P>Please help me I'm struggling!!!&nbsp;</P> Mon, 11 Mar 2019 06:19:26 GMT https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778903#M41359 shahab.66 2019-03-11T06:19:26Z https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778904#M41360 <P>Hello,<BR />1. As far as I know you can only specify for VPN user privilege level 0 so user then can connect to router but will have only "enable" command and without enable password he can do nothing.</P> <P>I don´t know to answer on 2. and 3. question. But I think that you can have only one local database with usernames and also you cannot assign access list to username.</P> Tue, 15 Dec 2015 08:11:07 GMT https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778904#M41360 Milos Megis 2015-12-15T08:11:07Z https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778905#M41361 <P>Thanks for the help,</P> <P>I Finally did it, using aaa attribute lists I set policies to user groups and my problem is solved!</P> Sun, 20 Dec 2015 20:36:03 GMT https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778905#M41361 shahab.66 2015-12-20T20:36:03Z https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778906#M41362 <P>Can you give a code snippet, how do you have configured the aaa attribute list and the policies to user groups?</P> <P></P> <P>Thanks</P> Mon, 30 May 2016 22:04:50 GMT https://community.cisco.com/t5/network-access-control/local-username-database/m-p/2778906#M41362 Carsten Peukert 2016-05-30T22:04:50Z