Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - Restrict 'config t' for user & allow all show commands

Hi,

I would like to restrict 'config t' to user privilege level 5.

Currently when I do 'sh run all privlege level all | i command configure'

I can see the below

privilege cmd level 15 mode exec command configure

which I believe means only level 15 can do a config t. But even when the enable level is '5', I can enter config t and have all the change entries available.

We are not using TACAS+. The complete AAA configuration in ASA is only the following

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

Also, if I like to permit all show commands at a certain level, do I have to explicitly permit every show command to level 5 or is there any wild card i.e. to permit all 'show' commands within user/privileged mode to a particular level.

Please assist.

3 REPLIES

Re: ASA - Restrict 'config t' for user & allow all show commands

New Member

Re: ASA - Restrict 'config t' for user & allow all show commands

Thanks. It worked.

Still looking for answer to the other question. When I enable the user at level 5, all show commands are restricted. And when I add 'privilege show level 5 mode exec command interface', only then the user can do show interface. Does it mean I would have to add all the show commands if I would like to permit 'show' to user level 5.

Re: ASA - Restrict 'config t' for user & allow all show commands

You have to define what commmands level 5 is authorized for.

for example

if you want priv level 5 to be able to do who running-config then you tell asa:

privilege show level 5 mode exec command running-config

the same appies for interface as you have done.

privilege show level 5 mode exec command interface

you will have to go over this link for more thorought details

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

Regards

1401
Views
5
Helpful
3
Replies