https://community.cisco.com/t5/network-access-control/change-privilege-levels/m-p/318494#M433661 <HTML><HEAD></HEAD><BODY><P>As I understand it, the implementation of privilege levels concerning show running-config is that there is a restriction that if you do not have the ability to change a certain parameter, that parameterr will not show up when you do show running-config. I believe that this reflects a security decision that if you do not have the ability to change it, it might compromise security if you could see it.</P><P></P><P>I would suggest that you test this by configuring certain things that a person at privilege level 7 can change in configuration. Then have that person do show run and see if these things do not show up.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 02 Sep 2004 17:13:58 GMT Richard Burts 2004-09-02T17:13:58Z https://community.cisco.com/t5/network-access-control/change-privilege-levels/m-p/318493#M433658 <P>Hi. I'm using an IAS Server. There I've defined two policies: One to authorizate a users with Shell:Priv-lvl=7 and other with Shell:Priv-lvl=15. I have this configuration at the router: </P><P></P><P>aaa new-model</P><P>aaa authentication login CONTROL group radius local</P><P>aaa authorization exec CONTROL group radius local</P><P></P><P>username alejandra privilege 15 password 0 perdomo</P><P></P><P>radius-server host 192.168.207.10 auth-port 1812 acct-port 1813</P><P>radius-server retransmit 3</P><P>radius-server key 1234</P><P></P><P>privilege exec level 7 ping</P><P>privilege exec level 7 clear counters</P><P>privilege exec level 7 show running-config</P><P>line vty 0 4</P><P> authorization exec CONTROL</P><P> login authentication CONTROL</P><P></P><P>As you can see I've defined the "Show Running-config" command with privilege 7. When I access to the router with privilege 7, I would be able to apply this command, I can see it, but when I run it, there is not a complete answer with all router's configuration. </P><P></P><P>I searched on <A class="jive-link-custom" href="http://www.Cisco.com" target="_blank">www.Cisco.com</A> and I found examples to make what I want, but they don't work properly.</P><P></P><P>Could you help me??? </P><P></P><P></P> Sun, 10 Mar 2019 20:46:52 GMT https://community.cisco.com/t5/network-access-control/change-privilege-levels/m-p/318493#M433658 AP270778 2019-03-10T20:46:52Z https://community.cisco.com/t5/network-access-control/change-privilege-levels/m-p/318494#M433661 <HTML><HEAD></HEAD><BODY><P>As I understand it, the implementation of privilege levels concerning show running-config is that there is a restriction that if you do not have the ability to change a certain parameter, that parameterr will not show up when you do show running-config. I believe that this reflects a security decision that if you do not have the ability to change it, it might compromise security if you could see it.</P><P></P><P>I would suggest that you test this by configuring certain things that a person at privilege level 7 can change in configuration. Then have that person do show run and see if these things do not show up.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 02 Sep 2004 17:13:58 GMT https://community.cisco.com/t5/network-access-control/change-privilege-levels/m-p/318494#M433661 Richard Burts 2004-09-02T17:13:58Z