• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 307
  • Last Modified:

Cisco 837 VPN User access

Hello,
I've a Cisco 837 acting as a VPN server for two Cisco VPN client software and I would like to restric the users to have only access to VPN.
The users I create with "username test password **" have access to VPN and to the router configuration also! I need to restrict them to VPN only authentication.

Is that possible ?
0
diegogalletti
Asked:
diegogalletti
  • 4
  • 3
1 Solution
 
mikebernhardtCommented:
Try
username test privilege 0 password ***
privilege exec level 1 enable

By default you can go to enable mode from privilege level 0. but a normal login puts you at privilege level 1. The 2nd line means that users below level 1 won't have access to the "enable" command. User test will be at level 0 when they authenticate. So when the VPN users authenticate they can't do anything on the router but their traffic can still pass through.

We do this with our router-router ISDN authentication so if someone guesses the password they still won't have router privileges.
0
 
diegogallettiAuthor Commented:
Thank you I tried it now but no way.
The new user are "username test privilege 0 password..." but they are able to enable with the enable password.
maybe something to change in "privilege exec level 1 enable" ??

Thanks
0
 
mikebernhardtCommented:
No, that should do it. Try telnetting to the router and logging in as user test. Type "show privilege." It shoulnd't even recognize the word "show.". Then try to get into enable mode and it should fail on that too. If you get an answer to show privilege, tell me what it says and also post your config here, minus actual passwords. If you can, just post the output of "show runn | include privilege"
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
diegogallettiAuthor Commented:
Ok, this is a cut of config:

!
version 12.3
no service pad
no service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname IW-837
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging buffered 32000 informational
no logging console
no logging monitor
enable secret 5 ****************************
!
username test privilege 0 secret 5 **********************
.....................................



AND THIS WHAT HAPPEN WHEN I LOG ON WITH THAT USER:

IW-837>show privi
IW-837>show privi
Current privilege level is 1
IW-837>ena
Password:
IW-837#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
IW-837(config)#exit
IW-837#sho pri
Current privilege level is 15
IW-837#

Suggestion ??
0
 
mikebernhardtCommented:
I think it's a bug in IOS. In 12.2 mainline it works. But in IOS that has the "secret" feature enhancement for the username command- which includes your 12.3 software, the privilege level argument doesn't seem to work even if you don't use the "secret" argument. I set it both to 0 and to 2, and the router ignores it. I'm actually going to tell Cisco about it, it's definitely a bug.
0
 
mikebernhardtCommented:
How do you usually log into the router? Do you use the username command yourself, or something else? I'm wondering if we can create a workaround...
0
 
diegogallettiAuthor Commented:
Hi,
the ios is 12.3(7) ! I'm able to access Cisco and update again the ios.
I use ssh to access the router.

What do you think ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now