03-29-2017 11:53 AM - edited 03-12-2019 02:08 AM
I'm wanting to limit login access to my ASA5515 by changing the priv level for LOCAL user accts
Quoting Cisco:
If you do not use command authorization (the aaa authorization console LOCAL command), then the
default level 2 allows management access to privileged EXEC mode. If you want to limit access to
privileged EXEC mode, either set the privilege level to 0 or 1, or use the service-type command.
So I add a user to LOCAL database
username MyUser password cisco privilege 0
And I have AAA to LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
When I SSH to ASA I can login as MyUser
Granted MyUser still has to know enable password, but why wasn't MyUser denied login?
ASA5515 v9.4(3)12
What did I miss in this?
Thanks
03-30-2017 01:41 AM
Privilege level 0 and 1 only limits access - it does not deny it.
If you want to more completely restrict access (say for VPN users), the use the username attribute "remote-access".
Source:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/admin-management.html#ID-2111-0000046a
To look at it another way, here is a slightly different explanation than the one you cite, taken from the book "AAA Identity Management Security" (Cisco Press, 2010):
Similar to Cisco IOS, ASA also provides 16 levels of access called privilege levels. By default, the following three levels are defined on the device:
privilege level 0: Includes the show checksum, show curpriv, enable, help, show history, login, logout, page, show pager, clear pager, quit, and show version commands. You cannot really access this level because after login the first level accessible is level 1. Hence, the commands defined in this level are available to all users and do not affect the configuration of the device.
privilege level 1: Normal level on Telnet; includes all user-level commands at the ASA> prompt. This level is also known as User-EXEC mode. Commands at this level do not affect the configuration of the device.
privilege level 15: Includes all enable-level commands at the ASA# prompt. At this level, all commands are available and any configuration can be viewed or changed. This level is also known as Privileged-EXEC mode.
When you login to the device, you arrive at privilege level 1. To get to level 15, you have to use the enable command and enter the configured enable password.
04-05-2017 01:01 PM
Be aware that you have to add aaa authorization even if you use attribute "remote-access" - otherwise ssh and ASDM logins are still working.
deny SSH
aaa authorization exec LOCAL
deny ASDM (new since ASA 9.4)
aaa authorization http console LOCAL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide