From: chon_mon@nym.hush.com
Date: Thu Oct 14 2004 - 17:50:34 GMT-3
After reading the AAA commands on the original config, I thought that
if you are telnetted into the router, the AAA server is determining the
output and privilege access levels. That would make me wonder, assuming
that the AAA is working and it has not defaulted to local privilege levels,
if the AAA server is configured correctly?
HTH
On Thu, 14 Oct 2004 12:03:52 -0700 "Church, Chuck" <cchurch@netcogov.com>
wrote:
>It's not a bug. I believe it had something to do with the fact that
>a
>router doesn't keep the running config in memory to show when needed.
>When you do a 'sh run', it actually parses through all the various
>interface, router, etc data structures, and builds it. This behind
>the
>scenes work seems to require level 15 access itself. I don't remember
>if there was a work around or not. Maybe someone on the list will
>remember the fix, if it exists...
>
>
>Chuck Church
>Lead Design Engineer
>CCIE #8776, MCNE, MCSE
>Netco Government Services - Design & Implementation
>1210 N. Parker Rd.
>Greenville, SC 29609
>Home office: 864-335-9473
>Cell: 703-819-3495
>cchurch@netcogov.com
>PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>Of
>JD Plant
>Sent: Thursday, October 14, 2004 2:17 PM
>To: CCIE Security Mailing List
>Subject: Command Authorization for show run
>
>Hey all,
>
>I have noticed strange behavior every time i've used command
>authorization to allow the show run command. Everything works great
>with all the other commands at the same level.
>
>The commands are configured properly for the per user command
>authorization.
>
>The show run command even executes successfully. The problem is
>the
>output is empty, nothing but exclamation marks. I don't know if
>this
>is a bug in command auth or what. Config and command output below:
>
>R7#show run
>Building configuration...
>
>Current configuration : 13 bytes
>!
>!
>!
>!
>end
>R7#
>
>**CONFIGURATION SNIPPET***
>aaa new-model
> aaa authentication login vty group tacacs+ local
> aaa authorization exec vty group tacacs+ local
> aaa authorization commands 1 vty group tacacs+ if-authenticated
> aaa authorization commands 5 vty group tacacs+ if-authenticated
> aaa accounting exec vty start-stop group tacacs
> aaa accounting commands 1 vty start-stop group tacacs
> aaa accounting commands 5 vty start-stop group tacacs
>
>tacacs-server host 175.1.2.3 key cisco
>
>user lab7-telnet privilege 5 password cisco
>
>line vty 0 4
> login authentication vty
> authori exec vty
> authorization commands 1 vty
> authorization commands 5 vty
> accounting exec vty
> accounting commands 1 vty
> accounting commands 5 vty
>
>privilege exec level 5 show running-config
>privilege exec level 5 ping
This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:48 GMT-3