Privilege level on ASA 8.0 to remove capture (no capture)

Answered Question

Hello,

We have a RO user created with privilege level 5 (local authentication and command authorization enabled), it works fine for other commands that are difined in privilege level 5. When we try to enable capture commands for level 5 user, could enable/clear but doesn't allow to remove capture.

bl-asa/cont2# sh curpriv
Username : rouser
Current privilege level : 5
Current Mode/s : P_PRIV
bl-asa/cont2#

bl-asa/cont2# sh cap
capture _ type raw-data [Capturing - 0 bytes]
capture cap_out type raw-data interface outside [Capturing - 0 bytes]
  match ip any host xx.yy.23.116
bl-asa/cont2#

bl-asa/cont2# clear cap cap_out
bl-asa/cont2#

bl-asa/cont2# no cap cap_out
                           ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#

Following are the commads that I enabled for capture

privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture

Could someone please tell, what should be the privilege that needs to be set to remove the capture or if I have missed anything in the config.

Thanks in advance!

cheers

jav

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 6 years 11 months ago

You are hitting a Cisco Bug (CSCsl57533)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl57533&from=summary

You have to upgrade to any of the following:

1st Found-In
7.2(2)       
           
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)                                                          

Please rate if helpful.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pbvijay77 Sun, 02/07/2010 - 22:21

Hi Jav

  Could you add this following command ad try.

privilege configure level 5 mode exec command capture

Hope it will help

Vijay

PS : privilege

To configure command privilege levels for use with command authorization  (local, RADIUS, and LDAP (mapped) only), use the privilege command in global configuration mode. To disallow the configuration,  use the no form of this command.

privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command

no privilege [ show | clear | configure ] level level [ mode {enable | configure}] command  command

Syntax Description

clear

(Optional) Sets the privilege only for the clear form of the command. If  you do not use the clear, show,  or configure keywords, all forms of the command  are affected.

command command

Specifies the command you are configuring. You can only configure the  privilege level of the main command. For  example, you can configure the level of all aaa commands, but not the level of the aaa authentication command and the aaa authorization command  separately.

Also, you cannot configure the privilege level of subcommands separately  from the main command. For example, you can configure the context command, but not the allocate-interface command, which inherits the settings from the context command.

configure

(Optional) Sets the privilege only for the configure form of the  command. The configure form of the command is typically the form that  causes a configuration change, either as the unmodified command (without  the show or clear prefix) or  as the no form. If you do not use the clear, show, or configure keywords, all forms of the command are affected.

level level

Specifies the privilege level; valid values are from 0 to 15. Lower  privilege level numbers are lower privilege levels.

mode enable

(Optional) If a command can be entered in user EXEC/privileged EXEC mode  as well as configuration mode, and the command performs different  actions in each mode, you can set the privilege level for these modes  separately. The mode enable keyword specifies both  user EXEC mode and privileged EXEC mode.

mode configure

(Optional) If a command can be entered in user EXEC/privileged EXEC mode  as well as configuration mode, and the command performs different  actions in each mode, you can set the privilege level for these modes  separately. The mode configure keyword specifies  configuration mode, accessed using the configure  terminal command.

show

(Optional) Sets the privilege only for the show form of the command. If  you do not use the clear, show,  or configure keywords, all forms of the command  are affected.

Hello Vijay,

Thanks for your input, I have already tried that, as suggested in cisco doccument.


privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture

but the situation is still the same, cannot remove the capture.


bl-asa/cont2# no cap cap_out
                           ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#

cheers

Farrukh Haroon Mon, 02/08/2010 - 01:35

Does 'no capture' (without the name) work?

Does the 'capture abcd' itself work?

Regards

Farrukh

Correct Answer
Farrukh Haroon Mon, 02/08/2010 - 03:20

You are hitting a Cisco Bug (CSCsl57533)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl57533&from=summary

You have to upgrade to any of the following:

1st Found-In
7.2(2)       
           
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)                                                          

Please rate if helpful.

Regards

Farrukh

Actions

This Discussion