Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
4
Replies

Allow local user for only ASA admin and not RA VPN

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-11-2023 11:55 AM

We are trying to remediate the RA VPN vulnerability of CVE-2023-20269. We use TACACS+ to login, but there is a local backup account in case TACACS+ goes down. Is there some way to prevent this account from being utilized by AnyConnect?

I understand we can lock a userame into a profile, but I don't believe that's what I'm intending on doing.

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-11-2023 12:00 PM

@ABaker94985 try this:-

When users in the LOCAL user database are not expected to be able to establish remote access VPN tunnels at all, administrators can prevent these users from successfully establishing a remote access VPN tunnel by setting the vpn-simultaneous-logins option in username attributes configuration mode to zero, as shown in the following example:

username USERNAMAE attributes
 vpn-simultaneous-logins 0

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎09-11-2023 12:00 PM

@ABaker94985 try this:-

When users in the LOCAL user database are not expected to be able to establish remote access VPN tunnels at all, administrators can prevent these users from successfully establishing a remote access VPN tunnel by setting the vpn-simultaneous-logins option in username attributes configuration mode to zero, as shown in the following example:

username USERNAMAE attributes
 vpn-simultaneous-logins 0
0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight
In response to Rob Ingram

‎09-11-2023 12:17 PM

Thanks, Rob. That's exactly what I was needing.

0 Helpful

Go to solution
plwalsh
Level 1
Level 1

‎09-12-2023 08:32 AM - edited ‎09-12-2023 08:35 AM

Regarding this recent vulnerability to 'brute force attack in an attempt to identify valid username and password combinations ' , is the ASA brute force vulnerability only related to LOCAL usernames? i.e. if I apply the various workarounds to any LOCAL usernames, does that mitigate the vulnerability?  I don't have clientless SSL VPN so that's not an issue for me.

0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-12-2023 09:59 AM

My understanding is that there are two way to compromise the ASA. One through brute force local usernames and the other using clientless SSL. Clientless was not an issue for us either. However, our ASA was hammered with attempts to compromise the local usernames as shown in the following:

pri/act/asa5545(config)# sh logg | in 113015
Sep 08 2023 00:36:44: %ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = ***** : user IP = 152.89.198.38

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card