cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
1
Replies

Local ASA passwords to allow ALL show commands, no config

pheavens85
Level 1
Level 1

Hi there

Currently have an ASA 5545. What I want to do is allow our support team to perform ALL show commands (up to and including show run) but not enable them to perform ANY configuration changes on the devices (not get into config t). This is to allow them to check ARP tables, routing protocol status, etc

Can anyone advise the syntax to do this? i don't have access to the ASA at the moment and haven't been able to figure it out in IOS, i'm assuming its not too hard...

1 Reply 1

James Leinweber
Level 4
Level 4

Assuming AAA authentication, define some users with intermediate privilege levels and assign the commands they can run to that level, e.g.

    username readonly password SomeSecret privilege 2

followed by a tedious number of privilege commands for each of the keywords "show ?" expands to:

privilege show level 2 mode exec command aaa-server

...

privilege show level 2 mode exec command xlate

Anyone knowing a more consise way would be welcome.

-- Jim Leinweber, WI State Lab of Hygiene

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: