08-19-2016 07:45 AM
Hello Experts,
Customer's query "We are currently in the process of trying to lock down account access for certain customers to a subset of commands. Do you know if there is a way to limit portions of the running and startup config from being viewed through the show run and show startup commands? We basically want to allow the customer to view the configuration on their ports and have the ability to change the vlans associated with it, but not be able to view other sensitive information in the config.
Please let me know."
Appreciate your help and feedback.
BR,
Ain
Solved! Go to Solution.
08-19-2016 08:25 AM
Hi,
Have you looked into implementing command sets?
Regards,
-Tim
08-19-2016 08:25 AM
Hi,
Have you looked into implementing command sets?
Regards,
-Tim
08-19-2016 09:22 AM
Hi Ain,
Switches will not run the contents of the config file through command authorization before displaying. Even if that was a feature, it would take a long time to display.
Instead you can use Role-Based CLI Access: User Security Configuration Guide, Cisco IOS Release 15MT - Role-Based CLI Access [Support] - Cisco
Last time I used this, this restricts what's shown in show run and show conf.
This will require command authorization to be on the switch, however. In ISE/ACS you can send an attribute to assign users to a specific role.
Thanks
08-19-2016 10:34 AM
Thanks for the response Viktor/Tim.
Ain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: