Privilege level change for the sho run command

Discussion in 'Cisco' started by bTq78, Jun 16, 2004.

  1. bTq78

    bTq78 Guest

    Hi,

    I'm trying to give "sho run" capabilities to a lower privilege level
    user.
    The general idea is to give some users Read-Only access to the router.

    I added these lines:
    username user privilege 7 password 7 110C18160E160E1F0F

    privilege exec all level 7 show running-config
    privilege exec level 7 show

    line vty 0 4
    exec-timeout 0 0
    login local

    Now I can telnet to the router login as a level 7 user and do "sho
    run" but all it displays is:


    router#sho run
    Building configuration...

    Current configuration : 49 bytes
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    !
    end

    router#

    router#sho privilege
    Current privilege level is 7


    tried it on 837 IOS 12.2
    and 828 IOS 13.3 ...
    both give the same result so I assume it is not IOS related.

    Any ideas???
     
    bTq78, Jun 16, 2004
    #1
    1. Advertisements

  2. It's a "quirck" of the privilege system, as it were, that you can't see
    what you can't change. When you give them show runn only, this is the
    result. Not sure what, or if, the workaround is.
     
    Martin Gallagher, Jun 16, 2004
    #2
    1. Advertisements

  3. bTq78

    Hansang Bae Guest

    Ues TACACS+ or Radius to give users read-only enable rights.

    Otherwise, you may have to "priv" every command that shows up in "wr t"

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 16, 2004
    #3
  4. bTq78

    bTq78 Guest


    Thnx I will look into the TACACS+/RADIUS possibilty.
    I feared as much on the "priv"-ing every command
     
    bTq78, Jun 16, 2004
    #4
  5. bTq78

    Guest Guest

    hi all.

    if a user try "show run" the user will sees only global statements
    or statements which the user is allowed to change.

    so i thing it is not possilbe for a limited user to see the
    whole output from "show run".

    but it is very easy to give such a user the privilege for
    "show config".
    if the user is not allowed to make
    config changes there ist no great comparison between
    show run (running config) and show config (startup config).

    bye
    /martin
     
    Guest, Jun 20, 2004
    #5
  6. Victor Cappuccio, Jun 21, 2004
    #6
  7. bTq78:
    Look at this configuration, maybe it could help you

    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication ppp default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ none
    aaa authorization network default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+

    tacacs-server host a.b.c.d
    tacacs-server host a.b.c.d+1
    tacacs-server timeout 30
    tacacs-server key YourKey

    line con 0
    password 7 096F673A3A2A
    logging synchronous
    line vty 0 4
    exec-timeout 15 0
     
    Victor Cappuccio, Jun 22, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.