AAA authorization issue !

Unanswered Question
May 21st, 2008
User Badges:

hi all, i have a new network engineer who needs just show access to our routers. i am using cisco acs 3.3 ( windows ) to handle AAA. now i have given this user privilige 14 and he is able to show all the commands except show running-config. i need to provide him access to this command ( its important), since i cant do any authorization in priv 15 so any one has any idea how to achieve this in level 14 ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Wantser1981_2 Wed, 05/21/2008 - 02:51
User Badges:

I am not sure on 3.3, but on 4.1 I would create a command authorisation set permitting only the use of the show command, but allowing the user to have priv15.

I have done this for our helpdesk.

You may want to create another group or so that you can dump future users in there with just "show" access.

Create the authorisation set, assign that set to the group and then dump that user into said group.

Hope this helps


Richard Burts Wed, 05/21/2008 - 07:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Be aware of a restriction in show running-config with privilege levels. You can grant access to show running-config but the person will not see things in show running that they do not have access to change. So if they can not change anything they will see pretty much nothing in show running. You might check on using show startup-config, which I believe does not have the same restriction.



illusion_rox Wed, 05/21/2008 - 20:12
User Badges:

Dear Rburts, i have tried using show startup-config but the parameter isnt simply there !! same with show running-config.

Wantser1981_2 Thu, 05/22/2008 - 01:16
User Badges:


Both show startup-config and show running-config are priv 15 level commands.

If you assign 15 as a level to the user and only authorise the command set of "show" and then arguments "permit running-config" it will allow your user to access these commands plus all other show commands. conf, clear etc etc will not be authorised so will fail.


illusion_rox Thu, 05/22/2008 - 02:15
User Badges:

hi Andy, i have tried this as well, i assigned the user level 15 and then only permitted him show running-config but it didnt work, i asked a question like this before also and some 1 told me that we cant do any type of filtering in level 15, its not possible, so wat u guys think ?

Thanks again for the feedback

Wantser1981_2 Thu, 05/22/2008 - 02:25
User Badges:

Well I am doing it so i would suggest that is untrue!

Whether it is slightly different in 3.3 though I am unsure.

I have attached a quick screen shot of the command set and group setting for allocating that command set to that group. Oddly, just adding the permit statement for running-config and interface has enabled all show commands only. You do need to specify running-config for it to work.

Might shed some light....



This Discussion