3. Cisco 1921 - SSLVPN authenticaion with local database

Cisco 1921 - SSLVPN authenticaion with local database

That doesn't really separate the local database into two groups. The concern is that users in the local database have management access to the device - that config just points the new AAA method SSL_AUTHEN toward the local database that already exists. VPN users still have to exist in the local database and thus still have management access if management access is granted to local users.

As far as I know, IOS doesn't have any way to restrict specific users from specific services. You can define CLI privilege levels for individual users, effectively disabling all commands (see below), but you can't give some local users exec shell access while flat-out denying exec shell access to other local users. This is what RADIUS and TACACS are for.

--

username <username> privilege level 0 secret <password>
privilege exec level 1 enable

This sets the required privilege level of the enable command to 1, as opposed to the default of 0. It also creates a user with privilege level 0. The user will be able to SSH to the router, but won't be able to do anything:

R1>?
Exec commands:
  <1-99>   Session number to resume
  disable  Turn off privileged commands
  exit     Exit from the EXEC
  help     Description of the interactive help system
  logout   Exit from the EXEC

R1>

It's not an elegant solution, but it's the closest you'll get while still keeping the VPN users in the local database.

Aside from that, you should also restrict management access via ACL. That's a much simpler solution, assuming your management workstations have predictable IP addresses (they should).

/r/Cisco Thread Parent
Previous
Next

Recently removed from /r/Cisco

AI Threatening jobs cisco 9971 question Cisco certs Syslog across VPN? What does a network engineer do? Troubleshooting Anyconnect BB10 client, It connects but pinging fails. Other clients work fine. How can i get the ip addr of a switch or router without the sh run command? Unable to ping 2950 from 3750 via trunk BT infinity open reach with Cisco 2800 series SF 300 + IP helper Blocking GoToAssist with Cisco ASA As I'm sitting here on a P1

More Random Comments

Looking for contributors and/or sponsors for open source game engine written in LuaJIT American guy is surprised when he gets a realistic hospital bill in forgein country Illegal or just immoral? HBO film explores Michelle Carter’s texting suicide case Canadians Abandon Home Ownership Thanks to Mortgage Restrictions So i just started the game today how’s my team? The Imperial Council - /r/eu4 Weekly General Help Thread: July 1 2019 A lot of people believe that when death touch is the most painful moment, people will be able to come back to life who have already died. Yet, most people don't come back. Is the feeling the same? "All women pornstars are all infact men!", claims bold new mind in /r/Transvestigation [Serious]Former teens who went to wilderness camps, therapeutic boarding schools and other "troubled teen" programs, what were your experiences? /r/Communism is openly denying the Soviet Genocides, Mao's Genocides, and blaming the Tiananmen Square protests on the Students and needs to be banned. I (24F) just found out that my boyfriend (27M) lied about volunteering with work to play video games [University Math: Linear Algebra] How to find the dimension of a vector space? Can't use BootP to set IP on a MicroLogix 1100 【m】Mastery Survey - 5★ Magicite Dungeon, Dark Odin (Lightning Vuln.) Looking for Partners MEGATHREAD!