Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

How to manage SVC user accounts via CLI on Cisco 5510

I'm such a newbie to Cisco stuff. =) But I believe the best way to learn is still learning the fundamental first.
I know that I can manage SVC user accounts via ASDM but I can't seem to find any doc on managing via CLI. Can anyone tell me the command to create, rename, reset password, disable and delete SVC users via CLI? Not sure if it actually supports all these functions. Thank you
0
golowai
Asked:
golowai
  • 8
  • 4
1 Solution
 
MikeKaneCommented:
Are you using local AAA, Radius, ldap?  
0
 
Texas_BillyCommented:
If you're talking about user accounts local on the ASA, you can do so with this command:

asa(config)# username jdoe password jdoepw privilege 15 <enter>  

"Privilege 15" specifies that this user can log into the firewall and do whatever he wants, obviously you want to limit that only to network admin personnel.  

The privilege levels can work in conjunction with TACACS, Radius, AD, etc, so I can't tell you what to put in for that.  But this command at the command line will add users, you can also delete them with the "no" form of this command.  --TX
0
 
golowaiAuthor Commented:
sorry, I should have explain myself clearly...we've purchased a Cisco ASA 5500 SSL VPN 10 User pack license and I want to create new user ID and password for my users. do i use the same method as creating a local ASA password? if so, how many privilege level does it have? is there any documentation that you guys can point me to? thank you for being patient with me!!!
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
golowaiAuthor Commented:
Hi Texas Billy, if I enter the following will that create a new webVPN user ID?

asa(config)# username jdoe password jdoepw privilege 2 <enter>

Also, can I tell what type of authentication we're using with the "sh run" command?

Thank you
0
 
Texas_BillyCommented:
It'll create a new webvpn user id IF your webvpn is configured to use the local user database on the ASA vs. active directory authentication, for example.  Do you know which one you're using?  

To specifically answer your question, however, as long as your webvpn is configured to use the local user database, then yes, this will most certainly create a webvpn capable user.  --TX
0
 
golowaiAuthor Commented:
looks like it was configure to use ASA local user database. which will lead to my other concern...the same user ID and password have access to ASDM via browser!!!!!! I've try changing their privilege to 0 but that ID still has access to it. what can I do to prevent my users from accessing the firewall via their browser?
0
 
Texas_BillyCommented:
Oh, good gravy, you're right, I'm sorry.  I gave you bad advice, I'm embarrassed.  To do this, you need to specify that this account is for vpn, not for remote access to the firewall, to do so, you forget the privilege level, don't put on in, use the following commands:

asa(config)# username uname password unamepw <enter>
asa(config)# username uname attributes <enter>
asa(config-username)# service-type remote-access <enter>

That'll create a remote access-user, but not allow access to the asdm.  If you've already created user accounts that have access to asdm and want to get rid of them, just use the "no username username password usernamepw privilege 2" command.  

Sorry for the poor comments last time, I'm usually much more attentive than that.  --TX
0
 
golowaiAuthor Commented:
I'm in username uname attribute but i don't see "service-type"? Below is all i get when i type in help.

username configuration commands:
  exit                     Exit from username attribute configuration mode
  group-lock               Enter name of an existing tunnel-group that the user
                           is required to connect with
  help                     Help for username configuration commands
  no                       Remove an attribute value pair
  password-storage         Enable/disable storage of the login password on the
                           client system
  vpn-access-hours         Enter name of a configured time-range policy
  vpn-filter               Enter name of user specific ACL
  vpn-framed-ip-address    Enter the IP address and the net mask to be assigned
                           to the client
  vpn-group-policy         Enter name of a group-policy to inherit attributes
                           from
  vpn-idle-timeout         Enter idle timeout period in minutes, enter none to
                           disable
  vpn-session-timeout      Enter maximum user connection time in minutes, enter
                           none for unlimited time
  vpn-simultaneous-logins  Enter maximum number of simultaneous logins allowed
  vpn-tunnel-protocol      Enter permitted tunneling protocols
  webvpn                   Configure user policy for WebVPN
0
 
golowaiAuthor Commented:
by the way we're running ASA version 7.2.

Thank you
0
 
golowaiAuthor Commented:
Hi Texas Billy,

under "asa(config)# username uname attributes <enter>"

I don't have "service-type" but i do see "service". under "service" i can't seem to do much. It would be really great if you can tell me why i don't have "service-type". thank you so much!!
0
 
golowaiAuthor Commented:
Hi everyone, I've done a little reading and it looks like I can control this by using AAA. But I'm a little confused as to how to set this up. Does anyone have an example? Thank you so much guys!!
0
 
golowaiAuthor Commented:
From what I've got on other sites...when using a local database there's no way of preventing user from logging in to ASDM via web access.
0
 
Texas_BillyCommented:
I'm sorry Golowai, I didn't realize that's what you were after.  If that's what you want, you can hide it from them by changing the port on which ASDM answers.  In this example, we'll pick 65000 as the port on which ASDM is listening.  The command is "http enable 65000".

Once you've done that, then to find ASDM, you have to go to https://firewallip:65000  - that'll be the only way to hit ASDM.

Whereas vpn users just go to port 443, they'll never see asdm, it won't respond to them.  --TX
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now