Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2022
Views
0
Helpful
6
Replies

aaa authorization and show logging command

Go to solution
abukuru95
Level 3
Level 3

‎08-28-2013 06:17 AM - edited ‎03-10-2019 08:49 PM

Hello Guys,

I am running IOS 15 on some routers and using ACS version 5.3.0.40.5 for authentication and authorization.

I would like to have a group of users not be able to access the configuration mode but issue all show commands.

However, the show logging command does not seem to work in user mode.

Any ideas or work arounds are welcome.

thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to abukuru95

‎08-29-2013 04:06 AM

Is your command set looks like the below listed link for read only access

http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html#_Toc299569579

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎08-29-2013 12:57 AM

Hello,

Here is a very good config example for you:

http://goo.gl/8LkTlw

Try the example and let us know if you have any more concerns.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
harvisin
Level 3
Level 3

‎08-29-2013 01:01 AM

Hello,

I think the link below might help you out:-

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml

0 Helpful

Go to solution
abukuru95
Level 3
Level 3

‎08-29-2013 03:12 AM

Hello all,

Thanks for your response but it is unfortunately not the solution.

I read a few documents where Cisco would have changed the behaviour of the show logging command.

This meaning that th do a show logging command, you have to be a level 15 user.

Wat i require is for a user not to have access to the conf t command but be able to do a show logging.

This is not working after several unsuccessful tries.

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to abukuru95

‎08-29-2013 03:35 AM

Hello,

There is no contradiction. You can be a level 15 access and deny or permit access to whatever commands that you want.

I am using ACS where everyone have level 15 access but some of them can only use show commands (no conf t).

You can configure things the same way by allowing everyone level 15 access and allow or deny whatever commands you want.

let me know if you need extra help.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to abukuru95

‎08-29-2013 04:06 AM

Is your command set looks like the below listed link for read only access

http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html#_Toc299569579

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
abukuru95
Level 3
Level 3
In response to Jatin Katyal

‎08-29-2013 04:42 AM

thanks for the tip !

I had more of a configuration problem.

I placed show logging and all other show commands. placing only "show" helped

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents