Solved: AnyConnect VPN users gaining Admin access - trick?

fsebera · ‎01-10-2017

AnyConnect service-type remote-access is the recommended access type for remote VPN users. The remote-access variable is suggested to prevent management access to the ASA and seems this is what you would want for your remote users. Assigning the remote user community remote-access service should not allow management access to the ASA; However if you add ssh 0.0.0.0 0.0.0.0 inside (as-well-as creating the crypto keys and the ssh variables) suddenly you provide admin access to the ASA for all remote and local users as-well.

We understand the recommended approach is to use the AnyConnect service-type admin for remote VPN administrators but it seems the service-type remote-access has a hole . ? !

Thanks

Frank

Karsten Iwen · ‎01-10-2017

I assume that you are just missing the command

aaa authorization exec LOCAL

Without that, the service-type is not used to decide if a user-account has login-rights or not.

View solution in original post

Karsten Iwen · ‎01-10-2017

I assume that you are just missing the command

aaa authorization exec LOCAL

Without that, the service-type is not used to decide if a user-account has login-rights or not.

fsebera · ‎01-10-2017

Hi Karsten,

Ahhh, This is what we have (below); We do not have the exec option.

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

I'l go back and amend the configuration, more soon!!!

Thank you

Frank

fsebera · ‎01-11-2017

Hi Karsten,

That did the trick!

Thank you

Frank