Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Privilege level change for the sho run command

Reply
Thread Tools

Privilege level change for the sho run command

 
 
bTq78
Guest
Posts: n/a
 
      06-16-2004
Hi,

I'm trying to give "sho run" capabilities to a lower privilege level
user.
The general idea is to give some users Read-Only access to the router.

I added these lines:
username user privilege 7 password 7 110C18160E160E1F0F

privilege exec all level 7 show running-config
privilege exec level 7 show

line vty 0 4
exec-timeout 0 0
login local

Now I can telnet to the router login as a level 7 user and do "sho
run" but all it displays is:


router#sho run
Building configuration...

Current configuration : 49 bytes
!
boot-start-marker
boot-end-marker
!
!
!
!
end

router#

router#sho privilege
Current privilege level is 7


tried it on 837 IOS 12.2
and 828 IOS 13.3 ...
both give the same result so I assume it is not IOS related.

Any ideas???
 
Reply With Quote
 
 
 
 
Martin Gallagher
Guest
Posts: n/a
 
      06-16-2004
On Wed, 16 Jun 2004 14:08:02 +0200, bTq78 wrote:

> Hi,
>
> I'm trying to give "sho run" capabilities to a lower privilege level user.
> The general idea is to give some users Read-Only access to the router.
>


It's a "quirck" of the privilege system, as it were, that you can't see
what you can't change. When you give them show runn only, this is the
result. Not sure what, or if, the workaround is.

--
Rgds,
Martin
 
Reply With Quote
 
 
 
 
Hansang Bae
Guest
Posts: n/a
 
      06-16-2004
In article <(E-Mail Removed)> ,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> It's a "quirck" of the privilege system, as it were, that you can't see
> what you can't change. When you give them show runn only, this is the
> result. Not sure what, or if, the workaround is.


Ues TACACS+ or Radius to give users read-only enable rights.

Otherwise, you may have to "priv" every command that shows up in "wr t"

--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
bTq78
Guest
Posts: n/a
 
      06-16-2004
On Wed, 16 Jun 2004 15:02:02 GMT, Hansang Bae <(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)> ,
>(E-Mail Removed) says...
>> It's a "quirck" of the privilege system, as it were, that you can't see
>> what you can't change. When you give them show runn only, this is the
>> result. Not sure what, or if, the workaround is.

>
>Ues TACACS+ or Radius to give users read-only enable rights.
>
>Otherwise, you may have to "priv" every command that shows up in "wr t"



Thnx I will look into the TACACS+/RADIUS possibilty.
I feared as much on the "priv"-ing every command
 
Reply With Quote
 
Guest
Posts: n/a
 
      06-20-2004
hi all.

if a user try "show run" the user will sees only global statements
or statements which the user is allowed to change.

so i thing it is not possilbe for a limited user to see the
whole output from "show run".

but it is very easy to give such a user the privilege for
"show config".
if the user is not allowed to make
config changes there ist no great comparison between
show run (running config) and show config (startup config).

bye
/martin

"bTq78" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed)...
> Hi,
>
> I'm trying to give "sho run" capabilities to a lower privilege level
> user.
> The general idea is to give some users Read-Only access to the router.
>
> I added these lines:
> username user privilege 7 password 7 110C18160E160E1F0F
>
> privilege exec all level 7 show running-config
> privilege exec level 7 show
>
> line vty 0 4
> exec-timeout 0 0
> login local
>
> Now I can telnet to the router login as a level 7 user and do "sho
> run" but all it displays is:
>
>
> router#sho run
> Building configuration...
>
> Current configuration : 49 bytes
> !
> boot-start-marker
> boot-end-marker
> !
> !
> !
> !
> end
>
> router#
>
> router#sho privilege
> Current privilege level is 7
>
>
> tried it on 837 IOS 12.2
> and 828 IOS 13.3 ...
> both give the same result so I assume it is not IOS related.
>
> Any ideas???



 
Reply With Quote
 
Victor Cappuccio
Guest
Posts: n/a
 
      06-21-2004
Hello bTq78
Maybe you can use: privilege exec level 0 show startup-config
Regards
Victor Cappuccio
www.vcappuccio.freeservers.com




bTq78 <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> Hi,
>
> I'm trying to give "sho run" capabilities to a lower privilege level
> user.
> The general idea is to give some users Read-Only access to the router.
>
> I added these lines:
> username user privilege 7 password 7 110C18160E160E1F0F
>
> privilege exec all level 7 show running-config
> privilege exec level 7 show
>
> line vty 0 4
> exec-timeout 0 0
> login local
>
> Now I can telnet to the router login as a level 7 user and do "sho
> run" but all it displays is:
>
>
> router#sho run
> Building configuration...
>
> Current configuration : 49 bytes
> !
> boot-start-marker
> boot-end-marker
> !
> !
> !
> !
> end
>
> router#
>
> router#sho privilege
> Current privilege level is 7
>
>
> tried it on 837 IOS 12.2
> and 828 IOS 13.3 ...
> both give the same result so I assume it is not IOS related.
>
> Any ideas???

 
Reply With Quote
 
Victor Cappuccio
Guest
Posts: n/a
 
      06-22-2004
bTq78:
Look at this configuration, maybe it could help you

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication ppp default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

tacacs-server host a.b.c.d
tacacs-server host a.b.c.d+1
tacacs-server timeout 30
tacacs-server key YourKey

line con 0
password 7 096F673A3A2A
logging synchronous
line vty 0 4
exec-timeout 15 0




(E-Mail Removed) (Victor Cappuccio) wrote in message news:<(E-Mail Removed). com>...
> Hello bTq78
> Maybe you can use: privilege exec level 0 show startup-config
> Regards
> Victor Cappuccio
> www.vcappuccio.freeservers.com
>
>
>
>
> bTq78 <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> > Hi,
> >
> > I'm trying to give "sho run" capabilities to a lower privilege level
> > user.
> > The general idea is to give some users Read-Only access to the router.
> >
> > I added these lines:
> > username user privilege 7 password 7 110C18160E160E1F0F
> >
> > privilege exec all level 7 show running-config
> > privilege exec level 7 show
> >
> > line vty 0 4
> > exec-timeout 0 0
> > login local
> >
> > Now I can telnet to the router login as a level 7 user and do "sho
> > run" but all it displays is:
> >
> >
> > router#sho run
> > Building configuration...
> >
> > Current configuration : 49 bytes
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > !
> > !
> > !
> > end
> >
> > router#
> >
> > router#sho privilege
> > Current privilege level is 7
> >
> >
> > tried it on 837 IOS 12.2
> > and 828 IOS 13.3 ...
> > both give the same result so I assume it is not IOS related.
> >
> > Any ideas???

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restrict "sho mon" to enabled level access... mr.cybex@gmail.com Cisco 3 06-02-2007 12:54 PM
Level 14 Privilege Level Fred Atkinson Cisco 10 02-26-2007 12:59 AM
sho config vs sho run Cliff Cisco 3 03-18-2006 11:05 PM
"Sho Run" Question..... Doug Cisco 5 07-30-2004 03:40 AM
What is the diff btwn 'sho proc' and 'sho proc cpu' William J King Cisco 1 12-18-2003 11:50 PM



Advertisments