Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1596
Views
0
Helpful
2
Replies

Limit ASA login access with LOCAL AAA database

Phil Williamson
Level 1
Level 1

‎03-29-2017 11:53 AM - edited ‎03-12-2019 02:08 AM

I'm wanting to limit login access to my ASA5515 by changing the priv level for LOCAL user accts

Quoting Cisco:
If you do not use command authorization (the aaa authorization console LOCAL command), then the
default level 2 allows management access to privileged EXEC mode. If you want to limit access to
privileged EXEC mode, either set the privilege level to 0 or 1, or use the service-type command.

So I add a user to LOCAL database
username MyUser password cisco privilege 0

And I have AAA to LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL

When I SSH to ASA I can login as MyUser
Granted MyUser still has to know enable password, but why wasn't MyUser denied login?

ASA5515 v9.4(3)12

What did I miss in this?

Thanks

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-30-2017 01:41 AM

Privilege level 0 and 1 only limits access - it does not deny it.

If you want to more completely restrict access (say for VPN users), the use the username attribute "remote-access".

Source:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/admin-management.html#ID-2111-0000046a

To look at it another way, here is a slightly different explanation than the one you cite, taken from the book "AAA Identity Management Security" (Cisco Press, 2010):

Similar to Cisco IOS, ASA also provides 16 levels of access called privilege levels. By default, the following three levels are defined on the device:

  • privilege level 0: Includes the show checksum, show curpriv, enable, help, show history, login, logout, page, show pager, clear pager, quit, and show version commands. You cannot really access this level because after login the first level accessible is level 1. Hence, the commands defined in this level are available to all users and do not affect the configuration of the device.

  • privilege level 1: Normal level on Telnet; includes all user-level commands at the ASA> prompt. This level is also known as User-EXEC mode. Commands at this level do not affect the configuration of the device.

  • privilege level 15: Includes all enable-level commands at the ASA# prompt. At this level, all commands are available and any configuration can be viewed or changed. This level is also known as Privileged-EXEC mode.

When you login to the device, you arrive at privilege level 1. To get to level 15, you have to use the enable command and enter the configured enable password.

0 Helpful

Anton Hinterleitner
Level 1
Level 1
In response to Marvin Rhoads

‎04-05-2017 01:01 PM

Be aware that you have to add aaa authorization even if you use attribute "remote-access" - otherwise ssh and ASDM logins are still working.

deny SSH

aaa authorization exec LOCAL

deny ASDM (new since ASA 9.4)

aaa authorization http console LOCAL

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card