https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012028#M419392 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I had mentioned it for the command line.</P><P>If suppose you have local users with Privelege level 2 and 15, then</P><P></P><P>username admin2 privilege 2 password cisco</P><P>username admin15 privilege 15 password cisco</P><P></P><P>privelege exex level 2 ping</P><P>privilege exec level 2 clear counter</P><P></P><P>privelege exec level 15 telnet</P><P>privelege exec level 15 show config</P><P>privelege exec level 15 show logging</P></BODY></HTML> Mon, 21 Jul 2008 15:51:04 GMT dhananjoy chowdhury 2008-07-21T15:51:04Z https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012024#M419388 <P>I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:</P><P>"permit counters interface *"?</P><P></P><P>TIA</P> Sun, 10 Mar 2019 22:59:16 GMT https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012024#M419388 simon.bell 2019-03-10T22:59:16Z https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012025#M419389 <HTML><HEAD></HEAD><BODY><P>try this...</P><P></P><P>privilege exec level 2 clear counters</P></BODY></HTML> Mon, 21 Jul 2008 12:45:33 GMT https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012025#M419389 dhananjoy chowdhury 2008-07-21T12:45:33Z https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012026#M419390 <HTML><HEAD></HEAD><BODY><P>I'm not sure i understand what ya mean with this suggestion. We allow the user in to priv 15 but limit all commands typed. For example they might need to show the running config for an interface or something like that. Thus when they login they have priv 15 but don't have config term rights.</P></BODY></HTML> Mon, 21 Jul 2008 13:05:31 GMT https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012026#M419390 simon.bell 2008-07-21T13:05:31Z https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012027#M419391 <HTML><HEAD></HEAD><BODY><P>I'm assuming you are using CSACS (not indicated) for defining your command sets.</P><P></P><P>e.g.:</P><P></P><P>"Deny" radio button selected (i.e.: only listed commands will be authorized).</P><P></P><P>Command List:</P><P>clear</P><P>disable</P><P>enable</P><P>show</P><P></P><P>"Clear" command argument(s) set as follows:</P><P></P><P>(a) Deselect the "Permit Unmatched Args" checkbox.</P><P></P><P>(b) Enter the following argument(s) into the list:</P><P></P><P> permit counters</P><P></P><P>... or, to be more specific:</P><P></P><P> permit counters Ethernet 0</P><P> permit counters FastEthernet 0</P><P></P><P>This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).</P><P></P><P>Notes:</P><P>(1) Command arguments are case sensitive and may differ from how they are entered at the CLI.</P><P>(2) A sniffer is helpful in determining proper case.</P><P>(3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.</P><P></P></BODY></HTML> Mon, 21 Jul 2008 14:52:26 GMT https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012027#M419391 michael.leblanc 2008-07-21T14:52:26Z https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012028#M419392 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I had mentioned it for the command line.</P><P>If suppose you have local users with Privelege level 2 and 15, then</P><P></P><P>username admin2 privilege 2 password cisco</P><P>username admin15 privilege 15 password cisco</P><P></P><P>privelege exex level 2 ping</P><P>privilege exec level 2 clear counter</P><P></P><P>privelege exec level 15 telnet</P><P>privelege exec level 15 show config</P><P>privelege exec level 15 show logging</P></BODY></HTML> Mon, 21 Jul 2008 15:51:04 GMT https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012028#M419392 dhananjoy chowdhury 2008-07-21T15:51:04Z https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012029#M419393 <HTML><HEAD></HEAD><BODY><P>Yes, I'm using CACS, sorry for not specifying.</P><P></P><P>So if i put "clear" in as the command and then put: "permit counters FastEthernet 0" will that allow all fa0/1 - x interfaces or do I have to put them in individually? I'm really looking for a way to allow it on all fa and gi interfaces if possible but w/o putting each interface into acs.</P><P></P><P></P></BODY></HTML> Mon, 21 Jul 2008 17:29:17 GMT https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012029#M419393 simon.bell 2008-07-21T17:29:17Z https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012030#M419395 <HTML><HEAD></HEAD><BODY><P>If you are willing to permit the clearing of counters for "all" interface types (do a "clear counters ?", to see the list), use:</P><P></P><P>permit counters</P><P></P><P></P><P>If you only want to permit all FastEthernet and GigabitEthernet interfaces, use:</P><P></P><P>permit counters FastEthernet</P><P>permit counters GigabitEthernet</P><P></P><P></P><P>The inclusion of "FastEthernet 0" in my previously posted example was for a specific interface, where "FastEthernet 0" was a complete interface name (on a different platform), and was not intended to specify FastEthernet 0/1 - x.</P><P></P><P></P><P>Edit: If you want to control specific interfaces, make sure to use the appropriate white-space in your command set argument definitions.</P><P></P><P>E.g.: permit counters FastEthernet 0 1</P><P></P><P>The "FastEthernet", "0", and "1", are all separate arguments.</P><P></P></BODY></HTML> Mon, 21 Jul 2008 19:56:38 GMT https://community.cisco.com/t5/network-access-control/shell-command-auth-question/m-p/1012030#M419395 michael.leblanc 2008-07-21T19:56:38Z