Privilege level on ASA 8.0 to remove capture (no capture)

Answered Question

Hello,


We have a RO user created with privilege level 5 (local authentication and command authorization enabled), it works fine for other commands that are difined in privilege level 5. When we try to enable capture commands for level 5 user, could enable/clear but doesn't allow to remove capture.


bl-asa/cont2# sh curpriv
Username : rouser
Current privilege level : 5
Current Mode/s : P_PRIV
bl-asa/cont2#


bl-asa/cont2# sh cap
capture _ type raw-data [Capturing - 0 bytes]
capture cap_out type raw-data interface outside [Capturing - 0 bytes]
  match ip any host xx.yy.23.116
bl-asa/cont2#


bl-asa/cont2# clear cap cap_out
bl-asa/cont2#


bl-asa/cont2# no cap cap_out
                           ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#


Following are the commads that I enabled for capture


privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture


Could someone please tell, what should be the privilege that needs to be set to remove the capture or if I have missed anything in the config.


Thanks in advance!


cheers


jav

Correct Answer by Farrukh Haroon about 7 years 3 months ago

You are hitting a Cisco Bug (CSCsl57533)


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl57533&from=summary


You have to upgrade to any of the following:


1st Found-In
7.2(2)       
           
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)                                                          


Please rate if helpful.

Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pbvijay77 Sun, 02/07/2010 - 22:21
User Badges:

Hi Jav

  Could you add this following command ad try.


privilege configure level 5 mode exec command capture


Hope it will help


Vijay


PS : privilege

To configure command privilege levels for use with command authorization  (local, RADIUS, and LDAP (mapped) only), use the privilege command in global configuration mode. To disallow the configuration,  use the no form of this command.

privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command

no privilege [ show | clear | configure ] level level [ mode {enable | configure}] command  command

Syntax Description

clear

(Optional) Sets the privilege only for the clear form of the command. If  you do not use the clear, show,  or configure keywords, all forms of the command  are affected.

command command

Specifies the command you are configuring. You can only configure the  privilege level of the main command. For  example, you can configure the level of all aaa commands, but not the level of the aaa authentication command and the aaa authorization command  separately.

Also, you cannot configure the privilege level of subcommands separately  from the main command. For example, you can configure the context command, but not the allocate-interface command, which inherits the settings from the context command.

configure

(Optional) Sets the privilege only for the configure form of the  command. The configure form of the command is typically the form that  causes a configuration change, either as the unmodified command (without  the show or clear prefix) or  as the no form. If you do not use the clear, show, or configure keywords, all forms of the command are affected.

level level

Specifies the privilege level; valid values are from 0 to 15. Lower  privilege level numbers are lower privilege levels.

mode enable

(Optional) If a command can be entered in user EXEC/privileged EXEC mode  as well as configuration mode, and the command performs different  actions in each mode, you can set the privilege level for these modes  separately. The mode enable keyword specifies both  user EXEC mode and privileged EXEC mode.

mode configure

(Optional) If a command can be entered in user EXEC/privileged EXEC mode  as well as configuration mode, and the command performs different  actions in each mode, you can set the privilege level for these modes  separately. The mode configure keyword specifies  configuration mode, accessed using the configure  terminal command.

show

(Optional) Sets the privilege only for the show form of the command. If  you do not use the clear, show,  or configure keywords, all forms of the command  are affected.

Hello Vijay,


Thanks for your input, I have already tried that, as suggested in cisco doccument.



privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture


but the situation is still the same, cannot remove the capture.


bl-asa/cont2# no cap cap_out
                           ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#


cheers

Farrukh Haroon Mon, 02/08/2010 - 01:35
User Badges:
  • Red, 2250 points or more

Does 'no capture' (without the name) work?

Does the 'capture abcd' itself work?


Regards


Farrukh

Hello

Tried adding this command


privilege level 5 command cap



bl-asa/cont2#capture match ip  host host
bl-asa/cont2#capture interface


we are able to configure capture and also #clear cap


bl-asa/cont2#no cap --> doesn't work

bl-asa/cont2#no cap ---> works on admin account from privilege 15


thanks in advance!

Correct Answer
Farrukh Haroon Mon, 02/08/2010 - 03:20
User Badges:
  • Red, 2250 points or more

You are hitting a Cisco Bug (CSCsl57533)


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl57533&from=summary


You have to upgrade to any of the following:


1st Found-In
7.2(2)       
           
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)                                                          


Please rate if helpful.

Regards


Farrukh

Actions

This Discussion