ASA local command authorization - permitting all show commands

Unanswered Question
Sep 27th, 2010

Hi,

Using an ASA 8.2(3) I'm trying to use local command authorization to restrict users in a multiple context, multi-tenant firewall from executing commands which could negatively impact other contexts.  Ideally I will not use radius/tacacs for this.  I want context administrators to use ASDM and SSH.  For the ASDM to function correctly it looks like it needs to be able to execute lots of different 'show' commands.  I also want to give context administrators sufficient commands to be able to carry out common administrative functions.

So my first shot at config looks like this:

username test password test privilege 5
aaa authorization command LOCAL
aaa authorization exec LOCAL

!

privilege cmd level 5 mode configure command interface
privilege cmd level 5 mode configure command access-list
privilege cmd level 5 mode configure command static
privilege cmd level 5 mode configure command access-group
privilege cmd level 5 mode interface command ip
privilege cmd level 5 mode subinterface command ip
privilege cmd level 5 command show

The initial problem I have is that 'privilege cmd level 5 command show' doesn't work.  I need to specify each variance of show, for example:

privilege show level 5 mode exec command running-config

This is going to result in unecessarily bloated configurations, does anyone know of a more elegant way to permit ALL show commands?

Many thanks in advance!

George

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Mon, 10/04/2010 - 08:29

Hi George,

I believe you need to explicitly specify each 'show' command that you want to allow, unfortunately. You may also try the AAA discussion forum. They may be able to provide some additional insight.

Hope that helps.

-Mike

Actions

This Discussion