AAA Local Database | Restricting Access

I have been playing around with ipsec and ezvpn configurations over the last couple of days,  its been interesting.   However after putting in a simple config in my router

aaa new-model
aaa authentication login local_list local
aaa authorization network local_list local
aaa session-id common
!
username cisco password 0 cisco
username vpn password 0 vpn
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

etc .

etc..

etc…

I noticed my telnet sessions to the same router started to prompt me for username / password not just the line password anymore...makes sense, as I enabled aaa.

But then I got to thinking,   if I was using the local database for vpn authentication,  AND the local database for telnet/ssh authentication to the router. Can I delegate which usernames have access to which services?

I know I can restrict the ability to be able to connect to telnet/ssh, by access-group or access-class command,  or restrict vty access by manipulating privilege levels.    But I would like to know is there a way that I can say UserA is part of AAA list A, and UserB is part of AAA list B, etc.

There for giving me the ability to associate access on a group bases to a service.

I was hoping this command would give me what I am looking for…but no go.

CSR_R2(config)#username vpn aaa attribute list local_list
CSR_R2(config)#do show run | in vpn|aaa|username
aaa new-model
aaa authentication login local_list local
aaa authorization network local_list local
aaa session-id common
username cisco password 0 cisco123
username vpn password 0 vpn
username vpn2 password 0 vpn2
 pool vpn2pool 

Thoughts / Comments?

Sign In or Register to comment.