Beruflich Dokumente
Kultur Dokumente
Tags: vpn_user_priviledge
Hi,
Let's say that you have a local user configured on the ASA named cisco.
You can restrict that user for only remote access by doing the following:
service-type remote-access
Federico.
Thank you for the reply. This is what I actually tried, show run gives for that user:
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
1
VPN user ASA login
Despite that the user can log to the cli of ASA and execute enable and e.g. show run which
is very unwanted.
Is the user cisco member of the tunnel-group which you're connecting to?
Federico.
I just made him member of that group, however no change, he can still login to the cli and do
all the unwanted stuff.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
2
VPN user ASA login
I believe that if you lock that user to that group, you can restrict it.
Federico.
You can also configure privileges, so that a user can only access the ASA but only user
mode (cannot modify any settings).
Now, no matter which user the VPN client connects with, in order to access the ASA, it stilll
needs the enable password correct?
You can have the VPN clients connecting, withouth them knowing how to get into privilege
mode of the ASA, because they lack the enable password.
Federico.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
3
VPN user ASA login
The original "remote-access" attribute answer was correct, but that command assumes that
you are using AAA for login management of the ASA. Ensure that AAA authentication and
authorization are enabled on the ASA (as opposed to just telnet-ing in with the 'password
xyz' command).
service-type remote-access
-------------------------
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
4
VPN user ASA login
Username: testRAS
Password: ******
Cheers,
Mark
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
5