06-25-2012 06:47 AM - edited 03-10-2019 07:14 PM
Hello,
I am interesting if it is possible to restrict cli access to users from local database, they should be working only for EasyVPN ?
Is it possible to do this without exsternal db ?
06-25-2012 06:53 AM
Could you elaborate your question?
What device are we using for authenticating users like version, model, platform?
Which CLI access are you refering here...CLI access to your switches/routers/firewalls?
Regards,
Jatin
06-25-2012 09:21 AM
Hello Jatin,
I am using 3945E Router as Easy VPN Server, with 15.1 IOS. On router I have bunch on usernames for VPN authentication, I want to restrict Router management access for them(ssh,telnet, http and so on).
06-25-2012 01:09 PM
You can setup local command authorization for the same.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
Jatin
Do rate helpful posts-
06-25-2012 02:19 PM
how can I use these command ?
06-27-2012 12:09 AM
Hello,
Early I saw one example when it was done with aaa atribute list, and it was working, but on 3945E it is not working.
Here is example :
aaa new-model
!
aaa authentication login ezvpn_users local
aaa authorization network ezvpn_users local
!
aaa attribute list ezvpn_users
attribute type service-type noopt service shell mandatory
!
username user1 password 0 superpasword
username user1 aaa attribute list ezvpn_users
!
Do you have some information about it ?
10-19-2012 06:12 AM
try
"aaa authorization exec default local"
10-20-2012 07:09 AM
I think there is an easy way
define the user with privilege 0
That should do
Users can still login but they cant access/manage the router
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide