https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281257#M834658 <HTML><HEAD></HEAD><BODY><P>Most likely you are missing aaa authorization command.. see bellow link and links within.</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB?cmd=display_location&amp;location=.2cc2c575/4" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB?cmd=display_location&amp;location=.2cc2c575/4</A></P><P></P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 16 Jun 2009 20:13:24 GMT JORGE RODRIGUEZ 2009-06-16T20:13:24Z https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281256#M834649 <P>Hi, </P><P></P><P>I would like to restrict 'config t' to user privilege level 5. </P><P></P><P>Currently when I do 'sh run all privlege level all | i command configure'</P><P></P><P>I can see the below </P><P></P><P>privilege cmd level 15 mode exec command configure</P><P></P><P>which I believe means only level 15 can do a config t. But even when the enable level is '5', I can enter config t and have all the change entries available. </P><P></P><P>We are not using TACAS+. The complete AAA configuration in ASA is only the following</P><P></P><P>aaa authentication ssh console LOCAL</P><P>aaa authentication serial console LOCAL</P><P>aaa authentication http console LOCAL</P><P></P><P>Also, if I like to permit all show commands at a certain level, do I have to explicitly permit every show command to level 5 or is there any wild card i.e. to permit all 'show' commands within user/privileged mode to a particular level. </P><P></P><P>Please assist. </P> Mon, 11 Mar 2019 15:44:03 GMT https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281256#M834649 tech_trac 2019-03-11T15:44:03Z https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281257#M834658 <HTML><HEAD></HEAD><BODY><P>Most likely you are missing aaa authorization command.. see bellow link and links within.</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB?cmd=display_location&amp;location=.2cc2c575/4" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB?cmd=display_location&amp;location=.2cc2c575/4</A></P><P></P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 16 Jun 2009 20:13:24 GMT https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281257#M834658 JORGE RODRIGUEZ 2009-06-16T20:13:24Z https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281258#M834666 <HTML><HEAD></HEAD><BODY><P>Thanks. It worked. </P><P></P><P>Still looking for answer to the other question. When I enable the user at level 5, all show commands are restricted. And when I add 'privilege show level 5 mode exec command interface', only then the user can do show interface. Does it mean I would have to add all the show commands if I would like to permit 'show' to user level 5. </P></BODY></HTML> Wed, 17 Jun 2009 04:51:33 GMT https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281258#M834666 tech_trac 2009-06-17T04:51:33Z https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281259#M834686 <HTML><HEAD></HEAD><BODY><P>You have to define what commmands level 5 is authorized for. </P><P></P><P>for example</P><P></P><P>if you want priv level 5 to be able to do who running-config then you tell asa:</P><P></P><P><B>privilege show level 5 mode exec command running-config</B></P><P></P><P>the same appies for interface as you have done.</P><P></P><P><B>privilege show level 5 mode exec command interface</B></P><P></P><P></P><P>you will have to go over this link for more thorought details </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306</A></P><P></P><P></P><P>Regards</P></BODY></HTML> Wed, 17 Jun 2009 19:04:54 GMT https://community.cisco.com/t5/network-security/asa-restrict-config-t-for-user-allow-all-show-commands/m-p/1281259#M834686 JORGE RODRIGUEZ 2009-06-17T19:04:54Z