Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA local command authorization - permitting all show commands

Hi,

Using an ASA 8.2(3) I'm trying to use local command authorization to restrict users in a multiple context, multi-tenant firewall from executing commands which could negatively impact other contexts.  Ideally I will not use radius/tacacs for this.  I want context administrators to use ASDM and SSH.  For the ASDM to function correctly it looks like it needs to be able to execute lots of different 'show' commands.  I also want to give context administrators sufficient commands to be able to carry out common administrative functions.

So my first shot at config looks like this:

username test password test privilege 5
aaa authorization command LOCAL
aaa authorization exec LOCAL

!

privilege cmd level 5 mode configure command interface
privilege cmd level 5 mode configure command access-list
privilege cmd level 5 mode configure command static
privilege cmd level 5 mode configure command access-group
privilege cmd level 5 mode interface command ip
privilege cmd level 5 mode subinterface command ip
privilege cmd level 5 command show

The initial problem I have is that 'privilege cmd level 5 command show' doesn't work.  I need to specify each variance of show, for example:

privilege show level 5 mode exec command running-config

This is going to result in unecessarily bloated configurations, does anyone know of a more elegant way to permit ALL show commands?

Many thanks in advance!

George

1 REPLY
Cisco Employee

Re: ASA local command authorization - permitting all show comman

Hi George,

I believe you need to explicitly specify each 'show' command that you want to allow, unfortunately. You may also try the AAA discussion forum. They may be able to provide some additional insight.

Hope that helps.

-Mike

384
Views
0
Helpful
1
Replies