06-16-2009 06:10 AM - edited 03-11-2019 08:44 AM
Hi,
I would like to restrict 'config t' to user privilege level 5.
Currently when I do 'sh run all privlege level all | i command configure'
I can see the below
privilege cmd level 15 mode exec command configure
which I believe means only level 15 can do a config t. But even when the enable level is '5', I can enter config t and have all the change entries available.
We are not using TACAS+. The complete AAA configuration in ASA is only the following
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
Also, if I like to permit all show commands at a certain level, do I have to explicitly permit every show command to level 5 or is there any wild card i.e. to permit all 'show' commands within user/privileged mode to a particular level.
Please assist.
06-16-2009 01:13 PM
Most likely you are missing aaa authorization command.. see bellow link and links within.
Regards
06-16-2009 09:51 PM
Thanks. It worked.
Still looking for answer to the other question. When I enable the user at level 5, all show commands are restricted. And when I add 'privilege show level 5 mode exec command interface', only then the user can do show interface. Does it mean I would have to add all the show commands if I would like to permit 'show' to user level 5.
06-17-2009 12:04 PM
You have to define what commmands level 5 is authorized for.
for example
if you want priv level 5 to be able to do who running-config then you tell asa:
privilege show level 5 mode exec command running-config
the same appies for interface as you have done.
privilege show level 5 mode exec command interface
you will have to go over this link for more thorought details
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide