We have enabled the cisco anyconnect feature on our ASA and currently have all the users locally in the ASA. My question is, can I limit on which user(s) can log in using ssh? We currently have ACLs setup so that only 4 computers can get there, but I would feel more comfortable if I could limit users. Is there a way? Thank You in advanced.
Hello Jesse
It is possible to limit user CLI and ADSM access based on the user logging in. This can be for RADIUS, LDAP, TACACS+ as well as for the local database, using management authorization.
Specifically, you must set the service-type of each user. By default, the service type is admin which gives access to any services specified by the aaa authentication console command. This must be changed like so for the specific user:
hostname(config-username)# service-type remote-access
The remote-access keyword denies management access. The user cannot use any services specified by the aaa authentication console LOCAL commands.
More information about this can be found at the following Cisco documentation:
I hope this has been helpful!
Laz
Hi Laz, this was extremely helpful… Just so Im clear as I am reading the documentation as well, enabling remote access will only allow the user network access(vpn)?
Hello Jesse
Glad to hear that it was of help. Yes, that is the case. You can see from this section of the documentation that:
The remote-access keyword denies management access. The user cannot use any services specified by the aaa authentication console LOCAL commands (excluding the serial keyword; serial access is allowed).
I hope this has been helpful!
Laz
Thank you so much Laz. This helped a lot. I am glad I found this site.
1 Like