Re: Using LOCAL AAA for VPN access ONLY

majedalanni · ‎01-26-2011

Hi there,

I would need to know If I create a user in AAA LOCAL database, how would this user use only authentication in VPN IPsec Client, I don't want this user access management console of my Cisco ASA 5520?

I tried to gave it privilage 0 and 1, block ASDM only

using no CLI, telnet, SSH I got nothing he can access every thing

Sorry for my bad English!

Mike

Jatin Katyal · ‎01-26-2011

Well, you must be using TACACS for ASA management purpose. I mean you should have two entried for ASA as a tacacs client and as a radius clinet.

Tacacs for management and radius for VPN, if not then set it up that way.

After that go to user setup and use IP-BASED-NAR with action as denied.

Hope this helps.

Rgds,

Jatin

Do rate helpful posts-

~Jatin

majedalanni · ‎01-26-2011

Thanks,

Another question, can I run Tacacs or radius localy in my ASA or should I use external server?

Mike

Jatin Katyal · ‎01-26-2011

Well, the answer is NO. ASA itself can't act as radius or tacacs.

The only thing you can implement AAA authentication for local users.

like;

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

Hope this helps,

Rgds

Jatin

Do rate helpful posts-

~Jatin

m.kafka · ‎01-27-2011

Hi majedalanni,

I've run across a user-config for VPN-only users :

username xxxx attributes
service-type remote-access (ASA 8.3, this is what I've got running)

on older versions it could be:

username xxxx attributes
service-type vpn

Look for the documentation of "username attributes" for more details.

Hope that solves your challenge

Rgds, MiKa