Scribd Logo
Hochladen

Willkommen bei Scribd!

  • VPN User ASA Login: Leos - Pohl

    Hochgeladen von

    Naveen Kumar
    38 Ansichten5 Seiten
    1) The document discusses configuring a VPN user on an ASA firewall that can only access the device via VPN and not via the local CLI or web interface. 2) Federico recommends using the "username attributes service-type remote-access" command to restrict a user to remote access only, but the poster says this did not fully prevent CLI login. 3) Additional suggestions include making the user a member of the assigned tunnel group, using group-lock, and applying privilege levels to only allow user mode access. 4) Mark adds that AAA authentication and authorization must be enabled on the ASA for the remote-access attribute to work properly.

    Originalbeschreibung:

    Originaltitel

    AAA_Cisco_VPN

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    1) The document discusses configuring a VPN user on an ASA firewall that can only access the device via VPN and not via the local CLI or web interface. 2) Federico recommends using the "username attributes service-type remote-access" command to restrict a user to remote access only, but the poster says this did not fully prevent CLI login. 3) Additional suggestions include making the user a member of the assigned tunnel group, using group-lock, and applying privilege levels to only allow user mode access. 4) Mark adds that AAA authentication and authorization must be enabled on the ASA for the remote-access attribute to work properly.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    38 Ansichten5 Seiten

    VPN User ASA Login: Leos - Pohl

    Hochgeladen von

    Naveen Kumar
    1) The document discusses configuring a VPN user on an ASA firewall that can only access the device via VPN and not via the local CLI or web interface. 2) Federico recommends using the "username attributes service-type remote-access" command to restrict a user to remote access only, but the poster says this did not fully prevent CLI login. 3) Additional suggestions include making the user a member of the assigned tunnel group, using group-lock, and applying privilege levels to only allow user mode access. 4) Mark adds that AAA authentication and authorization must be enabled on the ASA for the remote-access attribute to work properly.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 5

    VPN user ASA login

    leos.pohl 4 posts since


    Mar 12, 2010
    I want to create a user, who can login to VPN however who is not able to login to ASA CLI or
    web management to view configuration. How do I achieve that? Thank you.

    Tags: vpn_user_priviledge

    Federico Coto Fajardo 2,171 posts since


    Dec 4, 2009 1. Re: VPN user ASA login Mar 12, 2010 9:28 AM

    Hi,

    Let's say that you have a local user configured on the ASA named cisco.

    username cisco password xxxxxxx

    You can restrict that user for only remote access by doing the following:

    username cisco attributes

    service-type remote-access

    Federico.

    leos.pohl 4 posts since


    Mar 12, 2010 2. Re: VPN user ASA login Mar 12, 2010 10:06 AM

    Thank you for the reply. This is what I actually tried, show run gives for that user:

    Postings may contain unverified user-created content and change frequently. The content is provided as-is and
    is not warrantied by Cisco.
    1
    VPN user ASA login

    username cisco password abcabcabc encrypted


    username cisco attributes
    service-type remote-access

    Despite that the user can log to the cli of ASA and execute enable and e.g. show run which
    is very unwanted.

    Any more ideas?

    Federico Coto Fajardo 2,171 posts since


    Dec 4, 2009 3. Re: VPN user ASA login Mar 12, 2010 10:17 AM

    Is the user cisco member of the tunnel-group which you're connecting to?

    username cisco password y9eO2nLogN8cTflM encrypted


    username cisco attributes
    service-type remote-access
    memberof cisco

    tunnel-group cisco type remote-access


    tunnel-group cisco general-attributes
    address-pool newpool

    Federico.

    leos.pohl 4 posts since


    Mar 12, 2010 4. Re: VPN user ASA login Mar 12, 2010 10:24 AM

    I just made him member of that group, however no change, he can still login to the cli and do
    all the unwanted stuff.

    Postings may contain unverified user-created content and change frequently. The content is provided as-is and
    is not warrantied by Cisco.
    2
    VPN user ASA login

    Federico Coto Fajardo 2,171 posts since


    Dec 4, 2009 5. Re: VPN user ASA login Mar 12, 2010 10:34 AM

    I believe that if you lock that user to that group, you can restrict it.

    username cisco attributes


    service-type remote-access
    memberof cisco

    group-lock value cisco

    Federico.

    leos.pohl 4 posts since


    Mar 12, 2010 6. Re: VPN user ASA login Mar 12, 2010 10:43 AM

    No luck. He can still login. Any more ideas?

    Federico Coto Fajardo 2,171 posts since


    Dec 4, 2009 7. Re: VPN user ASA login Mar 12, 2010 2:36 PM

    You can also configure privileges, so that a user can only access the ASA but only user
    mode (cannot modify any settings).

    Now, no matter which user the VPN client connects with, in order to access the ASA, it stilll
    needs the enable password correct?

    You can have the VPN clients connecting, withouth them knowing how to get into privilege
    mode of the ASA, because they lack the enable password.

    Federico.

    Postings may contain unverified user-created content and change frequently. The content is provided as-is and
    is not warrantied by Cisco.
    3
    VPN user ASA login

    Mark Walters 3 posts since


    Feb 15, 2010 8. Re: VPN user ASA login Jun 18, 2010 11:14 PM

    The original "remote-access" attribute answer was correct, but that command assumes that
    you are using AAA for login management of the ASA. Ensure that AAA authentication and
    authorization are enabled on the ASA (as opposed to just telnet-ing in with the 'password
    xyz' command).

    aaa authentication ssh console LOCAL

    aaa authentication enable console LOCAL

    aaa authentication telnet console LOCAL

    aaa authorization exec LOCAL

    username testRAS password yLRmYA5FRKBhsE1j encrypted privilege 0

    username testRAS attributes

    service-type remote-access

    -------------------------

    Postings may contain unverified user-created content and change frequently. The content is provided as-is and
    is not warrantied by Cisco.
    4
    VPN user ASA login

    telnet 192.168.1.1 (asa)

    Username: testRAS

    Password: ******

    [ testRAS ] You do NOT have Admin Rights to the console !

    Cheers,

    Mark

    Postings may contain unverified user-created content and change frequently. The content is provided as-is and
    is not warrantied by Cisco.
    5

    Das könnte Ihnen auch gefallen