Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3208
Views
5
Helpful
3
Replies

ASA - Restrict 'config t' for user & allow all show commands

tech_trac
Level 1
Level 1

‎06-16-2009 06:10 AM - edited ‎03-11-2019 08:44 AM

Hi,

I would like to restrict 'config t' to user privilege level 5.

Currently when I do 'sh run all privlege level all | i command configure'

I can see the below

privilege cmd level 15 mode exec command configure

which I believe means only level 15 can do a config t. But even when the enable level is '5', I can enter config t and have all the change entries available.

We are not using TACAS+. The complete AAA configuration in ASA is only the following

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

Also, if I like to permit all show commands at a certain level, do I have to explicitly permit every show command to level 5 or is there any wild card i.e. to permit all 'show' commands within user/privileged mode to a particular level.

Please assist.

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎06-16-2009 01:13 PM

Most likely you are missing aaa authorization command.. see bellow link and links within.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB?cmd=display_location&location=.2cc2c575/4

Regards

Jorge Rodriguez

tech_trac
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎06-16-2009 09:51 PM

Thanks. It worked.

Still looking for answer to the other question. When I enable the user at level 5, all show commands are restricted. And when I add 'privilege show level 5 mode exec command interface', only then the user can do show interface. Does it mean I would have to add all the show commands if I would like to permit 'show' to user level 5.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to tech_trac

‎06-17-2009 12:04 PM

You have to define what commmands level 5 is authorized for.

for example

if you want priv level 5 to be able to do who running-config then you tell asa:

privilege show level 5 mode exec command running-config

the same appies for interface as you have done.

privilege show level 5 mode exec command interface

you will have to go over this link for more thorought details

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card