ASA - Restrict 'config t' for user & allow all show commands

Unanswered Question
Jun 16th, 2009
User Badges:

Hi,


I would like to restrict 'config t' to user privilege level 5.


Currently when I do 'sh run all privlege level all | i command configure'


I can see the below


privilege cmd level 15 mode exec command configure


which I believe means only level 15 can do a config t. But even when the enable level is '5', I can enter config t and have all the change entries available.


We are not using TACAS+. The complete AAA configuration in ASA is only the following


aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL


Also, if I like to permit all show commands at a certain level, do I have to explicitly permit every show command to level 5 or is there any wild card i.e. to permit all 'show' commands within user/privileged mode to a particular level.


Please assist.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tech_trac Tue, 06/16/2009 - 21:51
User Badges:

Thanks. It worked.


Still looking for answer to the other question. When I enable the user at level 5, all show commands are restricted. And when I add 'privilege show level 5 mode exec command interface', only then the user can do show interface. Does it mean I would have to add all the show commands if I would like to permit 'show' to user level 5.

JORGE RODRIGUEZ Wed, 06/17/2009 - 12:04
User Badges:
  • Green, 3000 points or more

You have to define what commmands level 5 is authorized for.


for example


if you want priv level 5 to be able to do who running-config then you tell asa:


privilege show level 5 mode exec command running-config


the same appies for interface as you have done.


privilege show level 5 mode exec command interface



you will have to go over this link for more thorought details


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306



Regards

Actions

This Discussion