Solved: VPN user access to ASDM

ThomasMidtskog · ‎10-12-2018

Hello everybody

I've inherited some old config, and I'm wondering about the VPN users created on an ASA 5545, software version 9.4(4)16

Apparently, all VPN-users have been assigned privilege level 2, with ASDM/CLI-access.

When trying to disable ASDM/CLI-access, the users cannot log in to the VPN-client anymore.

Should a local/AAA-user on the ASA really have access to the ASDM/CLI/SSH to be able to log in to the VPN-client (AnyConnect)? How can I avoid this?

Marvin Rhoads · ‎10-12-2018

You can lower VPN users to privilege level 0 and then also specify the service-type be remote-access only:

username <username here> password <plain text password> privilege 0
username <username here> attributes
     vpn-group-policy DfltGrpPolicy (or whatever)
     service-type remote-access

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/u.html#pgfId-1830154

View solution in original post

Marvin Rhoads · ‎10-12-2018

You can lower VPN users to privilege level 0 and then also specify the service-type be remote-access only:

username <username here> password <plain text password> privilege 0
username <username here> attributes
     vpn-group-policy DfltGrpPolicy (or whatever)
     service-type remote-access

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/u.html#pgfId-1830154

ThomasMidtskog · ‎10-14-2018

Thank you! Works fine now.