10-18-2012 02:12 AM - edited 02-21-2020 06:25 PM
Hi all,
what is the minimun privilege level to assign at username account on ASA 5505 to grant the access with AnyConnect?
username ... privilege ?
Thanks in advance
Best Regards
10-18-2012 04:26 AM
Typically we perform only authentication against local user DB, there is no additional requirement for privilage level to authorize SVC/AC sessions.
10-18-2012 05:40 AM
Hi Parker,
The privilege level does not control the AnyConnect authentication.
Instead, you could use local authorization using username attributes.
ASA5510(config)# username cisco attributes
ASA5510(config-username)# vpn-simultaneous-logins 0
By doing this, the username cisco will not be able to establish any VPN connections.
Or to only allow it to connect with the AnyConnect client:
ASA5510(config)# username cisco attributes
ASA5510(config-username)# vpn-tunnel-protocol ssl-client
In case you do not have any further questions please mark this post as answered.
Thanks.
Please rate any helpful posts.
10-18-2012 05:56 AM
Do you want to make sure that you VPN-users can't login to the ASA CLI and ASDM? Then you can configure the service-type for the user:
username vpn-user attributes
service-type remote-access
for that to work you need to have local your local authentication and authorization set to the following:
aaa authentication http console LOCAL
aaa authorization exec LOCAL
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-18-2012 06:04 AM
Thanks for adding more details and options Karsten
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide