Change privilege levels

AP270778 · ‎09-02-2004

Hi. I'm using an IAS Server. There I've defined two policies: One to authorizate a users with Shell:Priv-lvl=7 and other with Shell:Priv-lvl=15. I have this configuration at the router:

aaa new-model

aaa authentication login CONTROL group radius local

aaa authorization exec CONTROL group radius local

username alejandra privilege 15 password 0 perdomo

radius-server host 192.168.207.10 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key 1234

privilege exec level 7 ping

privilege exec level 7 clear counters

privilege exec level 7 show running-config

line vty 0 4

authorization exec CONTROL

login authentication CONTROL

As you can see I've defined the "Show Running-config" command with privilege 7. When I access to the router with privilege 7, I would be able to apply this command, I can see it, but when I run it, there is not a complete answer with all router's configuration.

I searched on www.Cisco.com and I found examples to make what I want, but they don't work properly.

Could you help me???

Richard Burts · ‎09-02-2004

As I understand it, the implementation of privilege levels concerning show running-config is that there is a restriction that if you do not have the ability to change a certain parameter, that parameterr will not show up when you do show running-config. I believe that this reflects a security decision that if you do not have the ability to change it, it might compromise security if you could see it.

I would suggest that you test this by configuring certain things that a person at privilege level 7 can change in configuration. Then have that person do show run and see if these things do not show up.

HTH

Rick

HTH

Rick