https://community.cisco.com/t5/network-security/limit-asa-login-access-with-local-aaa-database/m-p/3043809#M145340 <P>Be aware that you have to add aaa&nbsp;authorization even if you use attribute "remote-access" - otherwise ssh and ASDM logins are still working.</P> <P></P> <P>deny SSH</P> <P><STRONG><SPAN style="color: #1f497d;">aaa authorization exec LOCAL</SPAN></STRONG></P> <P><STRONG><SPAN style="color: #1f497d;"></SPAN></STRONG></P> <P>deny ASDM (new since ASA 9.4)</P> <P><SPAN style="font-size: 14pt;"><STRONG><SPAN style="font-family: 'Calibri',sans-serif; color: #1f497d;">aaa authorization http console LOCAL</SPAN></STRONG></SPAN></P> <P></P> Wed, 05 Apr 2017 20:01:03 GMT Anton Hinterleitner 2017-04-05T20:01:03Z https://community.cisco.com/t5/network-security/limit-asa-login-access-with-local-aaa-database/m-p/3043807#M145335 <P>I'm wanting to limit login access to my ASA5515 by changing the priv level for LOCAL user accts</P> <P>Quoting Cisco:<BR />If you do not use command authorization (the aaa authorization console LOCAL command), then the<BR />default level 2 allows management access to privileged EXEC mode. If you want to limit access to<BR />privileged EXEC mode, either set the privilege level to 0 or 1, or use the service-type command.</P> <P>So I add a user to LOCAL database<BR />username MyUser password cisco privilege 0</P> <P>And I have AAA&nbsp;to LOCAL<BR />aaa authentication ssh console LOCAL<BR />aaa authentication http console LOCAL<BR />aaa authentication serial console LOCAL</P> <P>When I SSH to ASA I can login as MyUser<BR />Granted MyUser still has to know enable password, but why wasn't MyUser denied login?</P> <P>ASA5515 v9.4(3)12</P> <P>What did I miss in this?</P> <P>Thanks</P> Tue, 12 Mar 2019 09:08:57 GMT https://community.cisco.com/t5/network-security/limit-asa-login-access-with-local-aaa-database/m-p/3043807#M145335 Phil Williamson 2019-03-12T09:08:57Z https://community.cisco.com/t5/network-security/limit-asa-login-access-with-local-aaa-database/m-p/3043808#M145338 <P>Privilege level 0 and 1 only limits access - it does not deny it.</P> <P>If you want to more completely restrict access (say for VPN users), the use the username attribute "remote-access".</P> <P>Source:</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/admin-management.html#ID-2111-0000046a</P> <P>To look at it another way, here is a slightly different explanation than the one you cite, taken from the book "AAA Identity Management Security" (Cisco Press, 2010):</P> <BLOCKQUOTE> <P class="docText">Similar to Cisco IOS, ASA also provides 16 levels of access called <SPAN class="docEmphasis">privilege levels</SPAN><A name="the device"></A>. By default, the following three levels are defined on the device:</P> <UL> <LI> <P class="docText"><SPAN class="docEmphStrong">privilege level 0:</SPAN> Includes the <SPAN class="docEmphStrong">show checksum</SPAN>, <SPAN class="docEmphStrong">show curpriv</SPAN>, <SPAN class="docEmphStrong">enable</SPAN>, <SPAN class="docEmphStrong">help</SPAN>, <SPAN class="docEmphStrong">show history</SPAN>, <SPAN class="docEmphStrong">login</SPAN>, <SPAN class="docEmphStrong">logout</SPAN>, <SPAN class="docEmphStrong">page</SPAN>, <SPAN class="docEmphStrong">show pager</SPAN>, <SPAN class="docEmphStrong">clear pager</SPAN>, <SPAN class="docEmphStrong">quit</SPAN>, and <SPAN class="docEmphStrong">show version</SPAN><A name="login the"></A> commands. You cannot really access this level because after login the first level accessible is level 1. Hence, the commands defined in this level are available to all users and do not affect the configuration of the device.</P> </LI> <LI> <P class="docText"><SPAN class="docEmphStrong">privilege level 1:</SPAN><A name="at the"></A> Normal level on Telnet; includes all user-level commands at the <SPAN class="docEmphasis">ASA&gt;</SPAN> prompt. This level is also known as <SPAN class="docEmphasis">User-EXEC mode</SPAN><A name="the configuration"></A>. Commands at this level do not affect the configuration of the device.</P> </LI> <LI> <P class="docText"><SPAN class="docEmphStrong">privilege level 15:</SPAN><A name="the"></A> Includes all enable-level commands at the <SPAN class="docEmphasis">ASA#</SPAN><A name="any configuration"></A> prompt. At this level, all commands are available and any configuration can be viewed or changed. This level is also known as <SPAN class="docEmphasis">Privileged-EXEC mode</SPAN>.</P> </LI> </UL> <P class="docText"><A name="you login"></A>When you login to the device, you arrive at privilege level 1. To get to level 15, you have to use the <SPAN class="docEmphStrong">enable</SPAN><A name="is configured"></A> command and enter the configured enable password.</P> </BLOCKQUOTE> Thu, 30 Mar 2017 08:41:17 GMT https://community.cisco.com/t5/network-security/limit-asa-login-access-with-local-aaa-database/m-p/3043808#M145338 Marvin Rhoads 2017-03-30T08:41:17Z https://community.cisco.com/t5/network-security/limit-asa-login-access-with-local-aaa-database/m-p/3043809#M145340 <P>Be aware that you have to add aaa&nbsp;authorization even if you use attribute "remote-access" - otherwise ssh and ASDM logins are still working.</P> <P></P> <P>deny SSH</P> <P><STRONG><SPAN style="color: #1f497d;">aaa authorization exec LOCAL</SPAN></STRONG></P> <P><STRONG><SPAN style="color: #1f497d;"></SPAN></STRONG></P> <P>deny ASDM (new since ASA 9.4)</P> <P><SPAN style="font-size: 14pt;"><STRONG><SPAN style="font-family: 'Calibri',sans-serif; color: #1f497d;">aaa authorization http console LOCAL</SPAN></STRONG></SPAN></P> <P></P> Wed, 05 Apr 2017 20:01:03 GMT https://community.cisco.com/t5/network-security/limit-asa-login-access-with-local-aaa-database/m-p/3043809#M145340 Anton Hinterleitner 2017-04-05T20:01:03Z