Solved: Local users VPN SSL

ilukeberry · ‎10-05-2012

Hi

I'd like to know what are best security practices when using local router db for VPN users, I'll have only 3 users to access network VPN.

As far as i know.. local users have also access to router via ssh/serial/telnet is there a way to disable this and make them VPN only?

I've check AAA and it seems you can't attach local users to cerian aaa lists.

I'm using Cisco 1900 Series ISR

Javier Portuguez · ‎10-05-2012

Hi Luka,

You are correct you could Parser views, refer to:

Role-Based CLI Access

The LOCAL database of any network device is useful for a small group of users, but it is always better to have an external database like AD maintaining and controlling access level like TACACS.

HTH.

Portu.

Please rate any helpful posts.

View solution in original post

Javier Portuguez · ‎10-05-2012

Hi Luka,

You are correct you could Parser views, refer to:

Role-Based CLI Access

The LOCAL database of any network device is useful for a small group of users, but it is always better to have an external database like AD maintaining and controlling access level like TACACS.

HTH.

Portu.

Please rate any helpful posts.

ilukeberry · ‎10-05-2012

could you write me an example for this scenario:

enable secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sslvpn local

!

aaa session-id common

!

username admin secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g

username luka secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g

Now i'd like to configure aaa that user luka can only use VPN SSL and not login into router via ssh.

Javier Portuguez · ‎10-05-2012

Let me check it as soon as I have a chance

ilukeberry · ‎10-06-2012

I'd be extremely grateful if you could do that