Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6926
Views
10
Helpful
5
Replies

Local user Issue on ASA for Anyconnect VPN only

Go to solution
hashimwajid1
Level 3
Level 3

‎03-28-2018 09:37 AM - edited ‎03-12-2019 05:09 AM

Hi 

 

i am configuring Any connect VPN on ASA 5525X with local user authentication, but when i create Local user on ASA, this local user can login Anyconnect VPN and ASA firewall as well. i want this user for VPN login only and not for ASA login,

 

is there any way that i restrict ASA local user only for VPN access ?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ben Walters
Level 4
Level 4

‎03-28-2018 01:02 PM

When you create a user give this a try, I believe it will restrict the user to only VPN access.

 

      username <USER> password <PASSWORD> privilege 2
      username <USER> attributes
        service-type remote-access

      

Then just include the VPN group policy setting that apply to your config.

 

Here is the ASDM section of it too.

asdm-ss.PNG

 

View solution in original post

5 Replies 5

Go to solution
Ben Walters
Level 4
Level 4

‎03-28-2018 01:02 PM

When you create a user give this a try, I believe it will restrict the user to only VPN access.

 

      username <USER> password <PASSWORD> privilege 2
      username <USER> attributes
        service-type remote-access

      

Then just include the VPN group policy setting that apply to your config.

 

Here is the ASDM section of it too.

asdm-ss.PNG

 

Go to solution
hashimwajid1
Level 3
Level 3
In response to Ben Walters

‎03-28-2018 01:08 PM

thanks Ben

in ASDM its also asking to configure 2 command

aaa authentication http console local
aaa authorization exec

do we need to configure these 2 commands as well
0 Helpful

Go to solution
Ben Walters
Level 4
Level 4

‎03-28-2018 01:16 PM

Do you use local authentication for admin access? (ASDM/SSH?) If you do then yes you will need those commands.

 

If you are using an external AAA (Radius/TACACS/etc) server it wouldn't matter unless that exact same user was created on the AAA server for authentication and was authorized to log in to the device.  

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Ben Walters

‎03-28-2018 02:03 PM

Hi Ben

 

i tried ASDM method and its working. i have 2 queries

 

1- is there any way if VPN client will not see the ASA self signed certificate when they login first time  ? i dont want users to see these certificate message sent from ASA

 

2- if i create multiple group for VPN for multiple users. can i bind users as per their desired Group. i dont want user to login other anyconnect group configured in firewall for other department users

 

Thanks

 

 

0 Helpful

Go to solution
Ben Walters
Level 4
Level 4
In response to hashimwajid1

‎03-29-2018 04:50 AM

1- is there any way if VPN client will not see the ASA self signed certificate when they login first time  ? i dont want users to see these certificate message sent from ASA

 

This would be because the certificate is untrusted on the client machine, you could install the certificate on the client machines before they connect to stop this message when connecting.

 

 

2- if i create multiple group for VPN for multiple users. can i bind users as per their desired Group. i dont want user to login other anyconnect group configured in firewall for other department users

 

It is possible to separate users into different VPN groups, this is where the Group Policy and VPN Group Lock attributes are used for users in different departments etc. Basically you would have to create separate VPN profiles for each user group and then specify a specific group policy. Then when creating users put the user in the correct group.   

Customers Also Viewed These Support Documents