Privilege level change for the sho run command

Discussion in 'Cisco' started by bTq78, Jun 16, 2004.

  1. bTq78

    bTq78 Guest

    Hi,

    I'm trying to give "sho run" capabilities to a lower privilege level
    user.
    The general idea is to give some users Read-Only access to the router.

    I added these lines:
    username user privilege 7 password 7 110C18160E160E1F0F

    privilege exec all level 7 show running-config
    privilege exec level 7 show

    line vty 0 4
    exec-timeout 0 0
    login local

    Now I can telnet to the router login as a level 7 user and do "sho
    run" but all it displays is:


    router#sho run
    Building configuration...

    Current configuration : 49 bytes
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    !
    end

    router#

    router#sho privilege
    Current privilege level is 7


    tried it on 837 IOS 12.2
    and 828 IOS 13.3 ...
    both give the same result so I assume it is not IOS related.

    Any ideas???
     
    bTq78, Jun 16, 2004
    #1
    1. Advertising

  2. On Wed, 16 Jun 2004 14:08:02 +0200, bTq78 wrote:

    > Hi,
    >
    > I'm trying to give "sho run" capabilities to a lower privilege level user.
    > The general idea is to give some users Read-Only access to the router.
    >


    It's a "quirck" of the privilege system, as it were, that you can't see
    what you can't change. When you give them show runn only, this is the
    result. Not sure what, or if, the workaround is.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Jun 16, 2004
    #2
    1. Advertising

  3. bTq78

    Hansang Bae Guest

    In article <>,
    says...
    > It's a "quirck" of the privilege system, as it were, that you can't see
    > what you can't change. When you give them show runn only, this is the
    > result. Not sure what, or if, the workaround is.


    Ues TACACS+ or Radius to give users read-only enable rights.

    Otherwise, you may have to "priv" every command that shows up in "wr t"

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 16, 2004
    #3
  4. bTq78

    bTq78 Guest

    On Wed, 16 Jun 2004 15:02:02 GMT, Hansang Bae <> wrote:

    >In article <>,
    > says...
    >> It's a "quirck" of the privilege system, as it were, that you can't see
    >> what you can't change. When you give them show runn only, this is the
    >> result. Not sure what, or if, the workaround is.

    >
    >Ues TACACS+ or Radius to give users read-only enable rights.
    >
    >Otherwise, you may have to "priv" every command that shows up in "wr t"



    Thnx I will look into the TACACS+/RADIUS possibilty.
    I feared as much on the "priv"-ing every command
     
    bTq78, Jun 16, 2004
    #4
  5. bTq78

    Guest Guest

    hi all.

    if a user try "show run" the user will sees only global statements
    or statements which the user is allowed to change.

    so i thing it is not possilbe for a limited user to see the
    whole output from "show run".

    but it is very easy to give such a user the privilege for
    "show config".
    if the user is not allowed to make
    config changes there ist no great comparison between
    show run (running config) and show config (startup config).

    bye
    /martin

    "bTq78" <> schrieb im Newsbeitrag
    news:...
    > Hi,
    >
    > I'm trying to give "sho run" capabilities to a lower privilege level
    > user.
    > The general idea is to give some users Read-Only access to the router.
    >
    > I added these lines:
    > username user privilege 7 password 7 110C18160E160E1F0F
    >
    > privilege exec all level 7 show running-config
    > privilege exec level 7 show
    >
    > line vty 0 4
    > exec-timeout 0 0
    > login local
    >
    > Now I can telnet to the router login as a level 7 user and do "sho
    > run" but all it displays is:
    >
    >
    > router#sho run
    > Building configuration...
    >
    > Current configuration : 49 bytes
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > !
    > !
    > !
    > end
    >
    > router#
    >
    > router#sho privilege
    > Current privilege level is 7
    >
    >
    > tried it on 837 IOS 12.2
    > and 828 IOS 13.3 ...
    > both give the same result so I assume it is not IOS related.
    >
    > Any ideas???
     
    Guest, Jun 20, 2004
    #5
  6. Hello bTq78
    Maybe you can use: privilege exec level 0 show startup-config
    Regards
    Victor Cappuccio
    www.vcappuccio.freeservers.com




    bTq78 <> wrote in message news:<>...
    > Hi,
    >
    > I'm trying to give "sho run" capabilities to a lower privilege level
    > user.
    > The general idea is to give some users Read-Only access to the router.
    >
    > I added these lines:
    > username user privilege 7 password 7 110C18160E160E1F0F
    >
    > privilege exec all level 7 show running-config
    > privilege exec level 7 show
    >
    > line vty 0 4
    > exec-timeout 0 0
    > login local
    >
    > Now I can telnet to the router login as a level 7 user and do "sho
    > run" but all it displays is:
    >
    >
    > router#sho run
    > Building configuration...
    >
    > Current configuration : 49 bytes
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > !
    > !
    > !
    > end
    >
    > router#
    >
    > router#sho privilege
    > Current privilege level is 7
    >
    >
    > tried it on 837 IOS 12.2
    > and 828 IOS 13.3 ...
    > both give the same result so I assume it is not IOS related.
    >
    > Any ideas???
     
    Victor Cappuccio, Jun 21, 2004
    #6
  7. bTq78:
    Look at this configuration, maybe it could help you

    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication ppp default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ none
    aaa authorization network default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+

    tacacs-server host a.b.c.d
    tacacs-server host a.b.c.d+1
    tacacs-server timeout 30
    tacacs-server key YourKey

    line con 0
    password 7 096F673A3A2A
    logging synchronous
    line vty 0 4
    exec-timeout 15 0




    (Victor Cappuccio) wrote in message news:<>...
    > Hello bTq78
    > Maybe you can use: privilege exec level 0 show startup-config
    > Regards
    > Victor Cappuccio
    > www.vcappuccio.freeservers.com
    >
    >
    >
    >
    > bTq78 <> wrote in message news:<>...
    > > Hi,
    > >
    > > I'm trying to give "sho run" capabilities to a lower privilege level
    > > user.
    > > The general idea is to give some users Read-Only access to the router.
    > >
    > > I added these lines:
    > > username user privilege 7 password 7 110C18160E160E1F0F
    > >
    > > privilege exec all level 7 show running-config
    > > privilege exec level 7 show
    > >
    > > line vty 0 4
    > > exec-timeout 0 0
    > > login local
    > >
    > > Now I can telnet to the router login as a level 7 user and do "sho
    > > run" but all it displays is:
    > >
    > >
    > > router#sho run
    > > Building configuration...
    > >
    > > Current configuration : 49 bytes
    > > !
    > > boot-start-marker
    > > boot-end-marker
    > > !
    > > !
    > > !
    > > !
    > > end
    > >
    > > router#
    > >
    > > router#sho privilege
    > > Current privilege level is 7
    > >
    > >
    > > tried it on 837 IOS 12.2
    > > and 828 IOS 13.3 ...
    > > both give the same result so I assume it is not IOS related.
    > >
    > > Any ideas???
     
    Victor Cappuccio, Jun 22, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. William J King
    Replies:
    1
    Views:
    1,511
    Rik Bain
    Dec 18, 2003
  2. Cliff

    sho config vs sho run

    Cliff, Mar 17, 2006, in forum: Cisco
    Replies:
    3
    Views:
    5,352
    Martin Kiefer
    Mar 18, 2006
  3. Fred Atkinson

    Level 14 Privilege Level

    Fred Atkinson, Feb 22, 2007, in forum: Cisco
    Replies:
    10
    Views:
    2,002
    Trendkill
    Feb 26, 2007
  4. Replies:
    3
    Views:
    412
    Cybex
    Jun 2, 2007
  5. Giuen
    Replies:
    0
    Views:
    1,160
    Giuen
    Sep 12, 2008
Loading...

Share This Page