10-18-2012 02:12 AM - edited 02-21-2020 06:25 PM
Hi all,
what is the minimun privilege level to assign at username account on ASA 5505 to grant the access with AnyConnect?
username ... privilege ?
Thanks in advance
Best Regards
10-18-2012 04:26 AM
Typically we perform only authentication against local user DB, there is no additional requirement for privilage level to authorize SVC/AC sessions.
10-18-2012 05:40 AM
Hi Parker,
The privilege level does not control the AnyConnect authentication.
Instead, you could use local authorization using username attributes.
ASA5510(config)# username cisco attributes
ASA5510(config-username)# vpn-simultaneous-logins 0
By doing this, the username cisco will not be able to establish any VPN connections.
Or to only allow it to connect with the AnyConnect client:
ASA5510(config)# username cisco attributes
ASA5510(config-username)# vpn-tunnel-protocol ssl-client
In case you do not have any further questions please mark this post as answered.
Thanks.
Please rate any helpful posts.
10-18-2012 05:56 AM
Do you want to make sure that you VPN-users can't login to the ASA CLI and ASDM? Then you can configure the service-type for the user:
username vpn-user attributes
service-type remote-access
for that to work you need to have local your local authentication and authorization set to the following:
aaa authentication http console LOCAL
aaa authorization exec LOCAL
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-18-2012 06:04 AM
Thanks for adding more details and options Karsten
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: