topic Re: how to disable show commands in Network Access Control

how to disable show commands

azmath.hk — Sun, 10 Mar 2019 22:26:07 GMT

Hi,

We are having problem in disabling most of the show commands locally using AAA on router

Please review the config and let me know what is the way to disable all show commands except show ip int bri.....

Below is the config:-

privilege exec all level 7 crypto

privilege exec all level 7 release

privilege exec all level 7 renew

privilege exec all level 7 tclquit

privilege exec all level 7 access-enable

privilege exec all level 7 webvpn

privilege exec all level 7 ssh

privilege exec all level 7 x28

privilege exec all level 7 x3

privilege exec all level 7 pad

privilege exec all level 7 mtrace

privilege exec all level 7 msta

privilege exec all level 7 crypto

privilege exec all level 7 release

privilege exec all level 7 renew

privilege exec all level 7 tclquit

privilege exec all level 7 access-enable

privilege exec all level 7 webvpn

privilege exec all level 7 ssh

privilege exec all level 7 x28

privilege exec all level 7 x3

privilege exec all level 7 pad

privilege exec all level 7 mtrace

privilege exec all level 7 msta

username admin privilege 15 password xxx

username rem privilege 15 secret xxx

username user1 password xxx

aaa authentication login default local

aaa authorization exec default local

Re: how to disable show commands

azmath.hk — Tue, 09 Oct 2007 14:08:45 GMT

Please help me on this

Re: how to disable show commands

Jagdeep Gambhir — Tue, 09 Oct 2007 14:15:39 GMT

You need to set priv lvl of all show commands,

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Regards,

~JG

Re: how to disable show commands

azmath.hk — Tue, 09 Oct 2007 18:45:28 GMT

I tried so many ways but still no go.

Please suggest me the configuration in which privilege level2 user dont see show commands in user mode except show ip int bri

Thanks in advance for the help u will provide

Re: how to disable show commands

Jagdeep Gambhir — Wed, 10 Oct 2007 13:41:41 GMT

I was able to do it. Here is the configs

AAASWITCH(config)#username jag privilege 7 password xxxxx

AAASWITCH(config)#privilege exec level 8 show running

AAASWITCH(config)#privilege exec level 8 show ver

AAASWITCH(config)#privilege exec level 6 show ip interface brief

AAASWITCH(config)#privilege exec level 8 show user

###########################################

Results

##########################################

Username: jag

Password:

AAASWITCH#show run

% Invalid input detected at '^' marker.

AAASWITCH#show ver

% Invalid input detected at '^' marker.

AAASWITCH#show ip interface brief

Interface IP-Address OK? Method Status Prot

ocol

Vlan1 192.168.26.4 YES NVRAM up up

Vlan2 unassigned YES NVRAM administratively down down

Vlan22 192.166.22.5 YES NVRAM administratively down down

Vlan30 unassigned YES NVRAM administratively down down

AAASWITCH#show users

% Invalid input detected at '^' marker.

AAASWITCH#show user

% Invalid input detected at '^' marker.

In this way you need to set priv for all possible show commands.

If user priv is 2 then set priv for show commands more then 2.

Hope that helps

Regards,

~JG

Re: how to disable show commands

azmath.hk — Wed, 10 Oct 2007 16:33:32 GMT

Thank you so much for your help its working now.