cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
862
Views
0
Helpful
5
Replies

unable to issue show configuration

bethamprashanth
Level 1
Level 1

Hi All,

I've got Cisco ACS ( version 4.2 ), I've created group and permit
command-show, Argument- configuration, privilege, vlan

on my switch:
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

I'm able to authenticate,do show privilege,vlan. But I'm unable to do show configuration.

I've tried by adding " privilege exec level 7 show configuration " then I was able to do show configuration.

1. why its required when its already permitted globally ( Is that to execute privilege level 15 command, we need to added it? ).

2. It means my switch will contact ACS every time I execute a command, How can i localize?

3. How to make clear counters to work?

An earlier revert would be of great help.

Thanking You,
Prashanth.B

5 Replies 5

zhenningx
Level 4
Level 4

The command has to be available in the privilege level locally on the switch, then it will ask Tacacs server for command authorization. If you want to do command authorization for levels below 15, you have to add the commands to the privilege levels on the switches first.

Zhenning

Thank for revert Zhenning.

1. So it means that inorder to make authorization to work,  i need to define privilege command on switch & do ACS configuration.

2. How do I know which command has got what privilege level? ( say show configuration - is level of 15 )

Thanking You,

Prashanth

Hi,

Answers for the questions:

1. Yes. that is correct.


Please check the following link describing command authorization:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

2. by default the commands are at privilege level 15. you can execute "show privilege" and check the privilege level.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swauthen.html#wp1020699

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

thank for revert,

Its strange to see that  sh run dont gives any output.

Testing-Switch#sh run
Building configuration...

Current configuration : 13 bytes
!
!
!
!
end

Testing-Switch# sh config

Building configuration...

Current configuration : 2615 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Testing-Switch
!

Hi,

"show run" will only show you the commands which are available in your privilege. If you add some commands to your privilege level, you will see those in "show run".