Using LOCAL AAA for VPN access ONLY
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2011 07:27 AM - edited 03-10-2019 05:45 PM
Hi there,
I would need to know If I create a user in AAA LOCAL database, how would this user use only authentication in VPN IPsec Client, I don't want this user access management console of my Cisco ASA 5520?
I tried to gave it privilage 0 and 1, block ASDM only
using no CLI, telnet, SSH I got nothing he can access every thing
Sorry for my bad English!
Mike
- Labels:
-
AAA

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2011 07:53 AM
Well, you must be using TACACS for ASA management purpose. I mean you should have two entried for ASA as a tacacs client and as a radius clinet.
Tacacs for management and radius for VPN, if not then set it up that way.
After that go to user setup and use IP-BASED-NAR with action as denied.
Hope this helps.
Rgds,
Jatin
Do rate helpful posts-
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2011 08:18 AM
Thanks,
Another question, can I run Tacacs or radius localy in my ASA or should I use external server?
Mike

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2011 08:25 AM
Well, the answer is NO. ASA itself can't act as radius or tacacs.
The only thing you can implement AAA authentication for local users.
like;
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
Hope this helps,
Rgds
Jatin
Do rate helpful posts-

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2011 08:25 PM
Hi majedalanni,
I've run across a user-config for VPN-only users :
username xxxx attributes
service-type remote-access (ASA 8.3, this is what I've got running)
on older versions it could be:
username xxxx attributes
service-type vpn
Look for the documentation of "username attributes" for more details.
Hope that solves your challenge
Rgds, MiKa
