Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
863
Views
0
Helpful
5
Replies

unable to issue show configuration

bethamprashanth
Level 1
Level 1

‎05-10-2011 09:52 AM - edited ‎03-10-2019 06:04 PM

Hi All,

I've got Cisco ACS ( version 4.2 ), I've created group and permit
command-show, Argument- configuration, privilege, vlan

on my switch:
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

I'm able to authenticate,do show privilege,vlan. But I'm unable to do show configuration.

I've tried by adding " privilege exec level 7 show configuration " then I was able to do show configuration.

1. why its required when its already permitted globally ( Is that to execute privilege level 15 command, we need to added it? ).

2. It means my switch will contact ACS every time I execute a command, How can i localize?

3. How to make clear counters to work?

An earlier revert would be of great help.

Thanking You,
Prashanth.B

Labels:
0 Helpful
5 Replies 5

zhenningx
Level 4
Level 4

‎05-10-2011 01:50 PM

The command has to be available in the privilege level locally on the switch, then it will ask Tacacs server for command authorization. If you want to do command authorization for levels below 15, you have to add the commands to the privilege levels on the switches first.

Zhenning

0 Helpful

bethamprashanth
Level 1
Level 1
In response to zhenningx

‎05-10-2011 07:27 PM

Thank for revert Zhenning.

1. So it means that inorder to make authorization to work,  i need to define privilege command on switch & do ACS configuration.

2. How do I know which command has got what privilege level? ( say show configuration - is level of 15 )

Thanking You,

Prashanth

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to bethamprashanth

‎05-11-2011 04:54 AM

Hi,

Answers for the questions:

1. Yes. that is correct.


Please check the following link describing command authorization:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

2. by default the commands are at privilege level 15. you can execute "show privilege" and check the privilege level.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swauthen.html#wp1020699

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

bethamprashanth
Level 1
Level 1
In response to andamani

‎05-12-2011 02:25 AM

thank for revert,

Its strange to see that  sh run dont gives any output.

Testing-Switch#sh run
Building configuration...

Current configuration : 13 bytes
!
!
!
!
end

Testing-Switch# sh config

Building configuration...

Current configuration : 2615 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Testing-Switch
!

0 Helpful

zhenningx
Level 4
Level 4
In response to bethamprashanth

‎05-12-2011 05:02 AM

Hi,

"show run" will only show you the commands which are available in your privilege. If you add some commands to your privilege level, you will see those in "show run".

0 Helpful
Customers Also Viewed These Support Documents