cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
0
Helpful
3
Replies

AnyConnect VPN users gaining Admin access - trick?

fsebera
Level 4
Level 4

AnyConnect service-type remote-access is the recommended access type for remote VPN users. The remote-access variable is suggested to prevent management access to the ASA and seems this is what you would want for your remote users.  Assigning the remote user community remote-access service should not allow management access to the ASA; However if you add ssh 0.0.0.0 0.0.0.0 inside (as-well-as creating the crypto keys and the ssh variables) suddenly you provide admin access to the ASA for all remote and local users as-well.

We understand the recommended approach is to use the AnyConnect service-type admin for remote VPN administrators but it seems the service-type remote-access has a hole . ? !

Thanks

Frank

1 Accepted Solution

Accepted Solutions

I assume that you are just missing the command

aaa authorization exec LOCAL

Without that, the service-type is not used to decide if a user-account has login-rights or not.

View solution in original post

3 Replies 3

I assume that you are just missing the command

aaa authorization exec LOCAL

Without that, the service-type is not used to decide if a user-account has login-rights or not.

Hi Karsten,

Ahhh, This is what we have (below); We do not have the exec option.

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

I'l go back and amend the configuration, more soon!!!

Thank you

Frank

Hi Karsten,

That did the trick!

Thank you

Frank

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: