02-07-2010 09:26 PM - edited 03-11-2019 10:06 AM
Hello,
We have a RO user created with privilege level 5 (local authentication and command authorization enabled), it works fine for other commands that are difined in privilege level 5. When we try to enable capture commands for level 5 user, could enable/clear but doesn't allow to remove capture.
bl-asa/cont2# sh curpriv
Username : rouser
Current privilege level : 5
Current Mode/s : P_PRIV
bl-asa/cont2#
bl-asa/cont2# sh cap
capture _ type raw-data [Capturing - 0 bytes]
capture cap_out type raw-data interface outside [Capturing - 0 bytes]
match ip any host xx.yy.23.116
bl-asa/cont2#
bl-asa/cont2# clear cap cap_out
bl-asa/cont2#
bl-asa/cont2# no cap cap_out
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#
Following are the commads that I enabled for capture
privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture
Could someone please tell, what should be the privilege that needs to be set to remove the capture or if I have missed anything in the config.
Thanks in advance!
cheers
jav
Solved! Go to Solution.
02-08-2010 03:20 AM
You are hitting a Cisco Bug (CSCsl57533)
You have to upgrade to any of the following:
1st Found-In
7.2(2)
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)
Please rate if helpful.
Regards
Farrukh
02-07-2010 10:21 PM
Hi Jav
Could you add this following command ad try.
privilege configure level 5 mode exec command capture
Hope it will help
Vijay
To configure command privilege levels for use with command authorization (local, RADIUS, and LDAP (mapped) only), use the privilege command in global configuration mode. To disallow the configuration, use the no form of this command.
privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command
no privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command
02-07-2010 11:23 PM
Hello Vijay,
Thanks for your input, I have already tried that, as suggested in cisco doccument.
privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture
but the situation is still the same, cannot remove the capture.
bl-asa/cont2# no cap cap_out
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#
cheers
02-08-2010 01:35 AM
Does 'no capture' (without the name) work?
Does the 'capture abcd' itself work?
Regards
Farrukh
02-08-2010 01:58 AM
Hello
Tried adding this command
privilege level 5 command cap
bl-asa/cont2#capture
bl-asa/cont2#capture
we are able to configure capture and also #clear cap
bl-asa/cont2#no cap --> doesn't work
bl-asa/cont2#no cap
thanks in advance!
02-08-2010 03:20 AM
You are hitting a Cisco Bug (CSCsl57533)
You have to upgrade to any of the following:
1st Found-In
7.2(2)
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)
Please rate if helpful.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide