RANCID and restricted user on ASA

You may not want to configure RANCID using yout your default privilege level 15 user when it performs backup of your Cisco ASA.

Leveraging commmand authorization will enable granular control of which commands it runs.

!– Allowed commands
privilege cmd level 4 mode exec command more
privilege cmd level 4 mode exec command dir
privilege cmd level 4 mode exec command write
privilege show level 4 mode exec command version
privilege show level 4 mode exec command debug
privilege show level 4 mode exec command capture
privilege show level 4 mode exec command bootvar
privilege show level 4 mode exec command shun
privilege show level 4 mode exec command vlan
privilege show level 4 mode exec command module

!– User with privilege level 4
username rancid password AGF.8HASH322HASH encrypted privilege 4

!– Enable command authorization using the LOCAL database*
aaa authorization command LOCAL
aaa authorization exec LOCAL

* You may argue TACACS is better and it probably is, but when you lack the infrastructure and/or time to configure TACACS, this will do the trick.

ASA5510# conf t
^
ERROR: % Invalid input detected at ‘^’ marker.
ERROR: Command authorization failed
ASA5510# show curpriv
Username : rancid
Current privilege level : 4
Current Mode/s : P_PRIV
ASA55101#

5.00 avg. rating (99% score) - 1 vote

Leave a Reply

Your email address will not be published. Required fields are marked *