Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

User restriction though CLI

Dear All,

We are using ASA 5510 Version 7.2(4) at our organisation. The requirement is we need to give an access to a user with limited access so that he can run only specific commands on configuration mode. We don't have Cisco TACACS server instead of that we are using a microsoft radius server.

Can anyone plz suggest how to acheive this........


User restriction though CLI

New Member

User restriction though CLI

Thanx Ajay.....however i want to create a new user who can run only one specific command in the configuration mode. Is there a way to create a new priviledge level and assign only one command. If you can provide the commands it'll be quite helpful as i am not able to find it on the WEB.

User restriction though CLI

privilege show level 5 command

Level can be anything but not 15. I dont have any live device with me at this moment where i can try if you have you can try very well. but this works you can restrict users to some specific commands.



New Member

User restriction though CLI

We have a radius server which does authentication for ASA. So considering this, will the following commands accomplish our requirement.


aaa-server XXX protocol radius

aaa authentication telnet console XXX LOCAL

aaa authentication ssh console XXX LOCAL

aaa authorization command XXX LOCAL

username superadmin password privilege 15
Username restricteduser password privilege 5

privilege clear level 5 command crypto


Just by adding the above commands, I assume that restricteduser will only be able to issue the clear ipsec sa commands leaving the superadmin user with full access.

Kindly confirm if this is correct and will not lock me out of firewall access.


User restriction though CLI

Ahh I am sorry i misunderstood thought you do not have auth server.If you do have then the restriction will only be forced from Radius server. You need to look some guide for radius server what i told last was something on locally on ASA.

Sorry for that.

New Member

User restriction though CLI

Thank you Ajay, I'll check the Radius Guide..:-)