×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

aaa authorization and show logging command

Answered Question
Aug 28th, 2013
User Badges:

Hello Guys,


I am running IOS 15 on some routers and using ACS version 5.3.0.40.5 for authentication and authorization.

I would like to have a group of users not be able to access the configuration mode but issue all show commands.

However, the show logging command does not seem to work in user mode.


Any ideas or work arounds are welcome.


thanks in advance.

Correct Answer by Jatin Katyal about 3 years 11 months ago

Is your command set looks like the below listed link for read only access

http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html#_Toc299569579


~BR
Jatin Katyal

**Do rate helpful posts**

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Amjad Abdullah Thu, 08/29/2013 - 00:57
User Badges:
  • Red, 2250 points or more

Hello,


Here is a very good config example for you:

http://goo.gl/8LkTlw


Try the example and let us know if you have any more concerns.


Regards,


Amjad


Rating useful replies is more useful than saying "Thank you"

abukuru95 Thu, 08/29/2013 - 03:12
User Badges:

Hello all,


Thanks for your response but it is unfortunately not the solution.

I read a few documents where Cisco would have changed the behaviour of the show logging command.

This meaning that th do a show logging command, you have to be a level 15 user.


Wat i require is for a user not to have access to the conf t command but be able to do a show logging.


This is not working after several unsuccessful tries.

Amjad Abdullah Thu, 08/29/2013 - 03:35
User Badges:
  • Red, 2250 points or more

Hello,


There is no contradiction. You can be a level 15 access and deny or permit access to whatever commands that you want.

I am using ACS where everyone have level 15 access but some of them can only use show commands (no conf t).

You can configure things the same way by allowing everyone level 15 access and allow or deny whatever commands you want.


let me know if you need extra help.


Regards,


Amjad



Rating useful replies is more useful than saying "Thank you"

abukuru95 Thu, 08/29/2013 - 04:42
User Badges:

thanks for the tip !

I had more of a configuration problem.


I placed show logging and all other show commands. placing only "show" helped

Actions

This Discussion