Showing results for 
Search instead for 
Did you mean: 

minimun privilege to LOCAL account for AnyConnect


Hi all,

  what is the minimun privilege level to assign at username account on ASA 5505 to grant the access with AnyConnect?

username ...  privilege ?

Thanks in advance

Best Regards

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Typically we perform only authentication against local user DB, there is no additional requirement for privilage level to authorize SVC/AC sessions.

Hi Parker,

The privilege level does not control the AnyConnect authentication.

Instead, you could use local authorization using username attributes.

ASA5510(config)# username cisco attributes

ASA5510(config-username)# vpn-simultaneous-logins 0

By doing this, the username cisco will not be able to establish any VPN connections.

Or to only allow it to connect with the AnyConnect client:

ASA5510(config)# username cisco attributes

ASA5510(config-username)# vpn-tunnel-protocol ssl-client

In case you do not have any further questions please mark this post as answered.


Please rate any helpful posts.

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

Do you want to make sure that you VPN-users can't login to the ASA CLI and ASDM? Then you can configure the service-type for the user:

username vpn-user attributes

  service-type remote-access

for that to work you need to have local your local authentication and authorization set to the following:

aaa authentication http console LOCAL

aaa authorization exec LOCAL

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Thanks for adding more details and options Karsten

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers