unable to issue show configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2011 09:52 AM - edited 03-10-2019 06:04 PM
Hi All,
I've got Cisco ACS ( version 4.2 ), I've created group and permit
command-show, Argument- configuration, privilege, vlan
on my switch:
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
I'm able to authenticate,do show privilege,vlan. But I'm unable to do show configuration.
I've tried by adding " privilege exec level 7 show configuration " then I was able to do show configuration.
1. why its required when its already permitted globally ( Is that to execute privilege level 15 command, we need to added it? ).
2. It means my switch will contact ACS every time I execute a command, How can i localize?
3. How to make clear counters to work?
An earlier revert would be of great help.
Thanking You,
Prashanth.B
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2011 01:50 PM
The command has to be available in the privilege level locally on the switch, then it will ask Tacacs server for command authorization. If you want to do command authorization for levels below 15, you have to add the commands to the privilege levels on the switches first.
Zhenning
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2011 07:27 PM
Thank for revert Zhenning.
1. So it means that inorder to make authorization to work, i need to define privilege command on switch & do ACS configuration.
2. How do I know which command has got what privilege level? ( say show configuration - is level of 15 )
Thanking You,
Prashanth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2011 04:54 AM
Hi,
Answers for the questions:
1. Yes. that is correct.
Please check the following link describing command authorization:
2. by default the commands are at privilege level 15. you can execute "show privilege" and check the privilege level.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2011 02:25 AM
thank for revert,
Its strange to see that sh run dont gives any output.
Testing-Switch#sh run
Building configuration...
Current configuration : 13 bytes
!
!
!
!
end
Testing-Switch# sh config
Building configuration...
Current configuration : 2615 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Testing-Switch
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2011 05:02 AM
Hi,
"show run" will only show you the commands which are available in your privilege. If you add some commands to your privilege level, you will see those in "show run".
