cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
759
Views
2
Helpful
4
Replies

Can ISE parse the result of an authorized command?

Jeroen1001
Level 1
Level 1

Dear community,

I'm looking for ISE to remove sensitive information from the output of certain commands. For example, when issuing a show run command, I want to remove (or replace with *) all lines containing the word username and all lines containing a certain IP like 192.168*

So to put it more concisely, I want to apply a regex.

Is this possible with ISE? I'm assuming no because it is probably not intended for this use but you never know, right?

Many thanks,

Jeroen

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi Jeroen,

Here are the options ISE supports command line.

ise/admin# sh run | ?
Output modifier commands:
  begin    Begin with line that matches
  count    Count the number of lines in the output
  end      End with line that matches
  exclude  Exclude lines that match
  include  Include lines that match
  last     Display last few lines of the output

ise/admin# sh run ?
  >     Output Redirection.
  |     Output modifiers.
  <cr>  Carriage return.

ise/admin# sh run > ?
  <File>  Name of file to redirect stdout

You can save it to a file and then parse it the way you want.

It does not support wildcards in command line.

Thanks

Krishnan

View solution in original post

4 Replies 4

kthiruve
Cisco Employee
Cisco Employee

Hi Jeroen,

Here are the options ISE supports command line.

ise/admin# sh run | ?
Output modifier commands:
  begin    Begin with line that matches
  count    Count the number of lines in the output
  end      End with line that matches
  exclude  Exclude lines that match
  include  Include lines that match
  last     Display last few lines of the output

ise/admin# sh run ?
  >     Output Redirection.
  |     Output modifiers.
  <cr>  Carriage return.

ise/admin# sh run > ?
  <File>  Name of file to redirect stdout

You can save it to a file and then parse it the way you want.

It does not support wildcards in command line.

Thanks

Krishnan

Dear Krishnan,

Many thanks for your reply but I meant in it another context. Say I give access to a CPE to a third party. I want this 3rd party to be able to do a show run, but without seeing any sensitive information.

Basically, I want to ISE to transform show running-config into show running-config | exclude user*|password

I could exclude more information by adding more pipes making this quite flexible.

So to summarize, can ISE replace show running-config with show running-config | exclude user*|password  

The short answer is no. However, you can leverage the privilege level command and hide certain configuration items from the user which should then also hide it from the running configuration for them.

Hi George

I did find a way, I think. I'm going to test this next Wednesday. One can define an alias on the CPE and exclude items.

for instance: alias Test show run | exclude password|user|etc

Then you put config in ISE allowing a user to call only that alias.

I hope this will work out but I'll know soon enough.