Solved: @nurbol555 ,

mohamed.fawzy2012 · ‎04-16-2017

Dears ,

i want to know which privilege i suppose to use to allow certain user to do "sh version" command as i tried some privilege and they all do the same

as privilege 15

Marvin Rhoads · ‎04-17-2017

nurbol555 ,

The ASA capabilities are a bit different than IOS. On an ASA, here would be the command:

asa-5512(config)# privilege cmd level 14 mode exec command show ?

configure mode commands/options:
 <cr>
asa-5512(config)# privilege cmd level 14 mode exec command show

Note that you cannot add "version" after show. However as noted in the link I provided earlier, we can use privilege level 0 which includes show version and a few other commands.

We would then add the user thus:

asa-5512(config)# username showuser password showuser123 privilege 0

This new user has access to a limited set of show commands but cannot configure:

[c:\~]$ ssh showuser@x.x.x.x

Connecting to x.x.x.x:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Type help or '?' for a list of available commands.

asa-5512> show ?
 checksum Display configuration information cryptochecksum
 community-list List community-list
 curpriv Display current privilege level
 disk0: Display information about disk0: file system
 disk1: Display information about disk1: file system
 environment Show environment information
 flash: Display information about flash: file system
 history Display the session command history
 import Show imported objects
 inventory Show all inventory information for all slots
 policy-list List IP Policy list
 prefix-list List IP prefix lists
 software Show software information
 version Display system software version
asa-5512> show run
               ^
ERROR: % Invalid input detected at '^' marker.
asa-5512>

View solution in original post

Marvin Rhoads · ‎04-16-2017

I don't think you can restrict access to only "show version" but you cannot restrict access to "show" commands only on an ASA with local database for AAA.

Assign the user a non-default privilege level say level 10. Then customize the "show version" commmand to be available to a user with less than full enable (level 15) privilege.

More info:

https://supportforums.cisco.com/discussion/10987506/asa-privilege-levelsviews

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p3.html#pgfId-2175310

nurbol555 · ‎04-17-2017

Hello!

You can use for example command

privilege exec level 14 show version

Marvin Rhoads · ‎04-17-2017

nurbol555 ,

The ASA capabilities are a bit different than IOS. On an ASA, here would be the command:

asa-5512(config)# privilege cmd level 14 mode exec command show ?

configure mode commands/options:
 <cr>
asa-5512(config)# privilege cmd level 14 mode exec command show

Note that you cannot add "version" after show. However as noted in the link I provided earlier, we can use privilege level 0 which includes show version and a few other commands.

We would then add the user thus:

asa-5512(config)# username showuser password showuser123 privilege 0

This new user has access to a limited set of show commands but cannot configure:

[c:\~]$ ssh showuser@x.x.x.x

Connecting to x.x.x.x:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Type help or '?' for a list of available commands.

asa-5512> show ?
 checksum Display configuration information cryptochecksum
 community-list List community-list
 curpriv Display current privilege level
 disk0: Display information about disk0: file system
 disk1: Display information about disk1: file system
 environment Show environment information
 flash: Display information about flash: file system
 history Display the session command history
 import Show imported objects
 inventory Show all inventory information for all slots
 policy-list List IP Policy list
 prefix-list List IP prefix lists
 software Show software information
 version Display system software version
asa-5512> show run
               ^
ERROR: % Invalid input detected at '^' marker.
asa-5512>

ASA -----User with low privilege