How can I permit a user to authenticate via VPN but not have command line or ASDM access? The default device admin authorization policy is PermitAccess DenyAllCommands, this allows them to connect via VPN but ALSO allows then to login to the network ...