Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2357
Views
15
Helpful
3
Replies

Remote-user type ssh access to ASA

cisco8887
Level 2
Level 2

‎01-22-2016 05:52 AM - edited ‎03-12-2019 12:10 AM

Hi All,

 

I have noticed something interesting . When one creates a username on an ASA for local authentication of VPN users, the user can SSH into the device.

 

I changed the user service type to remote-access only and changed the privilege to 0 but still it could login.

 

How can you stop this and only allow vpn login and no ssh/telnet .

 

I guess level 0 and 1 are the same or very minor differences.

 

Many thanks

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Boris Uskov
Level 4
Level 4

‎01-22-2016 06:56 AM

Hello,
Please check, if the command "aaa authorization exec LOCAL" is in place:
The aaa authorization exec command tells the security appliance to check the service-type attribute before allowing administrative connections (console or ASDM) to succeed. Locally configured users may have the following values for service type: admin, nas-prompt, or remote-access.
To be authorized for enabled access through the console, that is, access to the privileged prompt, the user must have admin access.
For an administrative HTTP, ASDM, SSH, or Telnet connection to succeed, the user must have either admin or nas-prompt privileges.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/aaa.html

cisco8887
Level 2
Level 2
In response to Boris Uskov

‎01-22-2016 07:21 AM

got you so if the authorisation is place it stops users login with service type set to remote and allow all other user logins ?

I think what you are saying is Authentication always happens first and the ASA allows the client to log in after this as no authorisation is in place? If so when does it check the privilege level to allow access to enable mode?

does it no perform authorisation in unprivileged mode and performs this when one types enable

0 Helpful

Boris Uskov
Level 4
Level 4
In response to cisco8887

‎01-22-2016 07:31 AM

It seems from the cisco documentation, that if "aaa authorization exec Local" in place, and user type is "remote access", that user won't be able to have a ASDM/SSH/Telnet session opened (authentication won't be successful). And if user type is "remote access" the privilege level does not play role. The user with privilege level 15 and service type "remote-access" won't be able to pass the authentication of ASDM/SSH/Telnet session.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card