Tuesday, March 31, 2015

ASA Remote Access User Prevent SSH Access

When configuring a remote access VPN on an ASA, there are times when an external authentication server (RADIUS, TACACS+, etc) is not available.  In this case, the local AAA database can be used:
asa01(config)# username vpnuser password p@ssw0rd privilege 0
asa01(config)# username vpnuser attributes
asa01(config-username)# service-type remote-access
asa01(config-username)# exit
You might think that specifying privilege 0 and service-type remote access as shown above would be enough to prevent this user from logging in through SSH.  However, this may not be the case.  Let's look at the following example:
asa01# sh run user vpnuser
username vpnuser password jpCK6VfivhvBp0Pn encrypted privilege 0
username vpnuser attributes
 service-type remote-access
asa01# sh run aaa
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
With this configuration, it is still possible for "vpnuser" to log in through SSH:
vpnuser@asa01's password:
login as: vpnuser
vpnuser@asa01's password:
Type help or '?' for a list of available commands.
This is possible because the above configuration only specifies AAA authentication, not authorization.  Therefore the local user account's password is checked against the local database, but no check is performed to determine whether or not this local user is authorized for EXEC shell access.  This behavior can be changed by enabling management authorization with the following command:
asa01(config)# aaa authorization exec LOCAL
Now if we attempt to log in with this same account, the login will fail:
login as: vpnuser
vpnuser@asa01's password:
Access denied
vpnuser@asa01's password:

The ASA configuration guide goes into more detail about this feature here: