03-12-2010 01:21 AM
I want to create a user, who can login to VPN however who is not able to login to ASA CLI or web management to view configuration. How do I achieve that? Thank you.
03-12-2010 08:28 AM
Hi,
Let's say that you have a local user configured on the ASA named cisco.
username cisco password xxxxxxx
You can restrict that user for only remote access by doing the following:
username cisco attributes
service-type remote-access
Federico.
03-12-2010 09:06 AM
Thank you for the reply. This is what I actually tried, show run gives for that user:
username cisco password abcabcabc encrypted
username cisco attributes
service-type remote-access
Despite that the user can log to the cli of ASA and execute enable and e.g. show run which is very unwanted.
Any more ideas?
03-12-2010 09:17 AM
Is the user cisco member of the tunnel-group which you're connecting to?
username cisco password y9eO2nLogN8cTflM encrypted
username cisco attributes
service-type remote-access
memberof cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool newpool
Federico.
03-12-2010 09:24 AM
I just made him member of that group, however no change, he can still login to the cli and do all the unwanted stuff.
03-12-2010 09:34 AM
I believe that if you lock that user to that group, you can restrict it.
username cisco attributes
service-type remote-access
memberof cisco
group-lock value cisco
Federico.
03-12-2010 09:43 AM
No luck. He can still login. Any more ideas?
03-12-2010 01:36 PM
You can also configure privileges, so that a user can only access the ASA but only user mode (cannot modify any settings).
Now, no matter which user the VPN client connects with, in order to access the ASA, it stilll needs the enable password correct?
You can have the VPN clients connecting, withouth them knowing how to get into privilege mode of the ASA, because they lack the enable password.
Federico.
06-18-2010 10:14 PM
The original "remote-access" attribute answer was correct, but that command assumes that you are using AAA for login management of the ASA. Ensure that AAA authentication and authorization are enabled on the ASA (as opposed to just telnet-ing in with the 'password xyz' command).
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec LOCAL
!
username testRAS password yLRmYA5FRKBhsE1j encrypted privilege 0
username testRAS attributes
service-type remote-access
-------------------------
telnet 192.168.1.1 (asa)
Username: testRAS
Password: ******
[ testRAS ] You do NOT have Admin Rights to the console !
05-07-2014 09:14 AM
I got your answer on this page under heading "Add/Edit User Account > Identity"
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
It says,
Access Restriction—This section sets the management access level for a user. You must first enable management authorization using the Perform authorization for exec shell access option on the Configuration > Device Management > Users/AAA > AAA Access > Authorization tab.
So, I first enabled "perform authorization for exec sheel access" under Device Management>AAA Access>Authorization Tab and then I set the user to er to 'No access to ASDM' under User Accounts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide