https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202023#M877650 <HTML><HEAD></HEAD><BODY><P>That was it. Thanks! Just to make sure, this ASA is also authenticating users for VPN connections by pointing to the domain. This should not impact those users correct?</P><P></P><P></P><P>Thanks so much!!</P></BODY></HTML> Tue, 20 Jan 2009 20:51:40 GMT angel-moon 2009-01-20T20:51:40Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202017#M877643 <P>Hello Everyone,</P><P></P><P>Can someon tell me the command for createing a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?</P><P></P><P></P><P>Thanks in advance! All replies rated</P> Mon, 11 Mar 2019 14:37:23 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202017#M877643 angel-moon 2019-03-11T14:37:23Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202018#M877644 <HTML><HEAD></HEAD><BODY><P>You can use privilege level 5, this will allow to enable mode but it will <B>not give config t</B> access, nor clear xlates or any clear commands, it can however issue <B>show </B> and its subcommands including <B>show run</B> , same applies when using asdm.</P><P></P><P>create user in asa local database</P><P></P><P>asa(config)#username <NAME> password <PASSWORD> priviledge 5</PASSWORD></NAME></P><P></P><P>enable AAA to use ASA local user database</P><P></P><P>asa(config)#aaa authentication telnet console LOCAL</P><P></P><P></P><P>asa&gt; en</P><P>Password: *******</P><P>asa#config t</P><P> ^</P><P>ERROR: % Invalid input detected at '^' marker.</P><P>ERROR: Command authorization failed</P><P></P><P>asa#clear xlate</P><P>ERROR: % Invalid input detected at '^' marker.</P><P>ERROR: Command authorization failed</P><P>asa# </P><P></P><P></P><P>Regards</P><P></P></BODY></HTML> Thu, 15 Jan 2009 05:15:22 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202018#M877644 JORGE RODRIGUEZ 2009-01-15T05:15:22Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202019#M877645 <HTML><HEAD></HEAD><BODY><P>Thanks. I am not sure if access by SSH makes a difference but the user is using SSH and SSH is configured to authenticate to the local database but the user can still get to config t. I am running 7.2 if that makes a difference.</P></BODY></HTML> Mon, 19 Jan 2009 23:21:35 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202019#M877645 angel-moon 2009-01-19T23:21:35Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202020#M877646 <HTML><HEAD></HEAD><BODY><P>Add bellow statement , have you defined priviledge levels for that particular ssh user as indicated in my previous post.</P><P></P><P>aaa authentication ssh console LOCAL</P><P></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml</A></P></BODY></HTML> Tue, 20 Jan 2009 01:10:42 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202020#M877646 JORGE RODRIGUEZ 2009-01-20T01:10:42Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202021#M877648 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P></P><P>yes I do have the above listed statement and have defined the priviledge level as the first post said.</P><P></P><P></P><P>Thanks!</P></BODY></HTML> Tue, 20 Jan 2009 20:21:13 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202021#M877648 angel-moon 2009-01-20T20:21:13Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202022#M877649 <HTML><HEAD></HEAD><BODY><P>Ok , you must be missing this statement, try with that user after you enter this in asa and let me know.</P><P></P><P><B>aaa authorization command LOCAL</B></P><P></P><P></P><P>Additional reference for aaa authorization command </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175</A> </P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 20 Jan 2009 20:46:18 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202022#M877649 JORGE RODRIGUEZ 2009-01-20T20:46:18Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202023#M877650 <HTML><HEAD></HEAD><BODY><P>That was it. Thanks! Just to make sure, this ASA is also authenticating users for VPN connections by pointing to the domain. This should not impact those users correct?</P><P></P><P></P><P>Thanks so much!!</P></BODY></HTML> Tue, 20 Jan 2009 20:51:40 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202023#M877650 angel-moon 2009-01-20T20:51:40Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202024#M877651 <HTML><HEAD></HEAD><BODY><P>Angel, it should not impact any VPN related authentication , this only pertains to authorization managing the ASA applience.</P><P></P><P>Glad it is resolved and thank you for rating.</P><P></P><P>regards</P><P></P></BODY></HTML> Tue, 20 Jan 2009 21:49:03 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202024#M877651 JORGE RODRIGUEZ 2009-01-20T21:49:03Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202025#M877652 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I just stumbled onto this post.&nbsp; I was wondering if there was a generic command to allow access to all show commands, instead of individually having to specify them:</P><P></P><P>e.g. at the moment I have a Level 5 user who I want to have access to all show commands, but not configuration mode, and I have to manually specify each command:</P><P></P><P>privilege show level 5 mode exec command running-config</P><P>privilege show level 5 mode exec command log</P><P></P><P>Is there an equivalent of show * that I can add?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 18 Sep 2012 04:45:21 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/1202025#M877652 goulin 2012-09-18T04:45:21Z https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/3792163#M877653 <P>&nbsp;</P> <P><STRONG>While it is possible to expose a custom set of commands from ASA CLI for all its contexts as shown below, how do you ensure that the same for system CLI on ASA ? it doesn't seem to be having aaa commands available ?</STRONG></P> <P><STRONG>Enable the use of local command privilege levels, which can be checked against the privilege level of users in the local database</STRONG></P> <P>asa/Management(config)#&nbsp;<STRONG>aaa authorization command LOCAL</STRONG><BR />asa/Management(config)# exit</P> <P>&nbsp;</P> <P><STRONG>Create a user with privilege level 5 in the local database&nbsp;</STRONG><BR />asa/Management(config)# username &lt;&gt; password &lt;&gt; privilege 5</P> <P><STRONG>To view privilege levels</STRONG><BR />asa/Management# show curpriv&nbsp;<BR />Username : &lt;&gt;<BR />Current privilege level : 5&nbsp;</P> <P><BR />Current Mode/s : P_PRIV&nbsp;</P> <P>&nbsp;</P> <P>Example:</P> <DIV><SPAN>asa/Management(config)# privilege show level 5 command running-config</SPAN></DIV> <DIV>&nbsp;</DIV> Thu, 31 Jan 2019 13:58:05 GMT https://community.cisco.com/t5/network-security/asa-read-only-user/m-p/3792163#M877653 akbansal@cisco.com 2019-01-31T13:58:05Z