Cisco Support Community
Community Member

Shell Command Auth Question

I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:

"permit counters interface *"?



Re: Shell Command Auth Question

try this...

privilege exec level 2 clear counters

Community Member

Re: Shell Command Auth Question

I'm not sure i understand what ya mean with this suggestion. We allow the user in to priv 15 but limit all commands typed. For example they might need to show the running config for an interface or something like that. Thus when they login they have priv 15 but don't have config term rights.

Re: Shell Command Auth Question

I'm assuming you are using CSACS (not indicated) for defining your command sets.


"Deny" radio button selected (i.e.: only listed commands will be authorized).

Command List:





"Clear" command argument(s) set as follows:

(a) Deselect the "Permit Unmatched Args" checkbox.

(b) Enter the following argument(s) into the list:

permit counters

... or, to be more specific:

permit counters Ethernet 0

permit counters FastEthernet 0

This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).


(1) Command arguments are case sensitive and may differ from how they are entered at the CLI.

(2) A sniffer is helpful in determining proper case.

(3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

Re: Shell Command Auth Question


I had mentioned it for the command line.

If suppose you have local users with Privelege level 2 and 15, then

username admin2 privilege 2 password cisco

username admin15 privilege 15 password cisco

privelege exex level 2 ping

privilege exec level 2 clear counter

privelege exec level 15 telnet

privelege exec level 15 show config

privelege exec level 15 show logging

Community Member

Re: Shell Command Auth Question

Yes, I'm using CACS, sorry for not specifying.

So if i put "clear" in as the command and then put: "permit counters FastEthernet 0" will that allow all fa0/1 - x interfaces or do I have to put them in individually? I'm really looking for a way to allow it on all fa and gi interfaces if possible but w/o putting each interface into acs.

Re: Shell Command Auth Question

If you are willing to permit the clearing of counters for "all" interface types (do a "clear counters ?", to see the list), use:

permit counters

If you only want to permit all FastEthernet and GigabitEthernet interfaces, use:

permit counters FastEthernet

permit counters GigabitEthernet

The inclusion of "FastEthernet 0" in my previously posted example was for a specific interface, where "FastEthernet 0" was a complete interface name (on a different platform), and was not intended to specify FastEthernet 0/1 - x.

Edit: If you want to control specific interfaces, make sure to use the appropriate white-space in your command set argument definitions.

E.g.: permit counters FastEthernet 0 1

The "FastEthernet", "0", and "1", are all separate arguments.

CreatePlease to create content