Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
799
Views
0
Helpful
1
Replies

Allow users to authenticate on VPN but not login to devices

Managed Service Center
Level 1
Level 1

‎07-27-2012 11:09 AM - edited ‎03-10-2019 07:21 PM

How can I permit a user to authenticate via VPN but not have command line or ASDM access?

The default device admin authorization policy is PermitAccess DenyAllCommands, this allows them to connect via VPN but ALSO allows then to login to the network endpoints and firewalls.                  

Labels:
0 Helpful
1 Reply 1

mauzamor
Level 1
Level 1

‎07-27-2012 11:22 AM

Hi there,

You can configure the ACS to send back the Service type Outbound to allow only VPN access:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

"Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the

aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote access (IPSec and SSL) users  can still authenticate and terminate their remote access sessions. "

This attribute is configured under Policy Elements.

Let me know if it helps.

0 Helpful
Customers Also Viewed These Support Documents