ASA - Restrict 'config t' for user & allow all show commands

Unanswered Question
Jun 16th, 2009

Hi,

I would like to restrict 'config t' to user privilege level 5.

Currently when I do 'sh run all privlege level all | i command configure'

I can see the below

privilege cmd level 15 mode exec command configure

which I believe means only level 15 can do a config t. But even when the enable level is '5', I can enter config t and have all the change entries available.

We are not using TACAS+. The complete AAA configuration in ASA is only the following

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

Also, if I like to permit all show commands at a certain level, do I have to explicitly permit every show command to level 5 or is there any wild card i.e. to permit all 'show' commands within user/privileged mode to a particular level.

Please assist.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tech_trac Tue, 06/16/2009 - 21:51

Thanks. It worked.

Still looking for answer to the other question. When I enable the user at level 5, all show commands are restricted. And when I add 'privilege show level 5 mode exec command interface', only then the user can do show interface. Does it mean I would have to add all the show commands if I would like to permit 'show' to user level 5.

JORGE RODRIGUEZ Wed, 06/17/2009 - 12:04

You have to define what commmands level 5 is authorized for.

for example

if you want priv level 5 to be able to do who running-config then you tell asa:

privilege show level 5 mode exec command running-config

the same appies for interface as you have done.

privilege show level 5 mode exec command interface

you will have to go over this link for more thorought details

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

Regards

Actions

This Discussion