cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

614
Views
0
Helpful
1
Replies

Allow users to authenticate on VPN but not login to devices

How can I permit a user to authenticate via VPN but not have command line or ASDM access?

The default device admin authorization policy is PermitAccess DenyAllCommands, this allows them to connect via VPN but ALSO allows then to login to the network endpoints and firewalls.                  

1 REPLY 1
mauzamor
Beginner

Hi there,

You can configure the ACS to send back the Service type Outbound to allow only VPN access:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

"Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the

aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote access (IPSec and SSL) users  can still authenticate and terminate their remote access sessions. "

This attribute is configured under Policy Elements.

Let me know if it helps.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube