Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
2
Helpful
4
Replies

Can ISE parse the result of an authorized command?

Go to solution
Jeroen1001
Level 1
Level 1

‎02-12-2018 06:57 AM

Dear community,

I'm looking for ISE to remove sensitive information from the output of certain commands. For example, when issuing a show run command, I want to remove (or replace with *) all lines containing the word username and all lines containing a certain IP like 192.168*

So to put it more concisely, I want to apply a regex.

Is this possible with ISE? I'm assuming no because it is probably not intended for this use but you never know, right?

Many thanks,

Jeroen

1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-12-2018 10:55 PM

Hi Jeroen,

Here are the options ISE supports command line.

ise/admin# sh run | ?
Output modifier commands:
  begin    Begin with line that matches
  count    Count the number of lines in the output
  end      End with line that matches
  exclude  Exclude lines that match
  include  Include lines that match
  last     Display last few lines of the output

ise/admin# sh run ?
  >     Output Redirection.
  |     Output modifiers.
  <cr>  Carriage return.

ise/admin# sh run > ?
  <File>  Name of file to redirect stdout

You can save it to a file and then parse it the way you want.

It does not support wildcards in command line.

Thanks

Krishnan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-12-2018 10:55 PM

Hi Jeroen,

Here are the options ISE supports command line.

ise/admin# sh run | ?
Output modifier commands:
  begin    Begin with line that matches
  count    Count the number of lines in the output
  end      End with line that matches
  exclude  Exclude lines that match
  include  Include lines that match
  last     Display last few lines of the output

ise/admin# sh run ?
  >     Output Redirection.
  |     Output modifiers.
  <cr>  Carriage return.

ise/admin# sh run > ?
  <File>  Name of file to redirect stdout

You can save it to a file and then parse it the way you want.

It does not support wildcards in command line.

Thanks

Krishnan

0 Helpful

Go to solution
Jeroen1001
Level 1
Level 1
In response to kthiruve

‎02-13-2018 03:49 AM

Dear Krishnan,

Many thanks for your reply but I meant in it another context. Say I give access to a CPE to a third party. I want this 3rd party to be able to do a show run, but without seeing any sensitive information.

Basically, I want to ISE to transform show running-config into show running-config | exclude user*|password

I could exclude more information by adding more pipes making this quite flexible.

So to summarize, can ISE replace show running-config with show running-config | exclude user*|password  

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to Jeroen1001

‎02-15-2018 02:00 PM

The short answer is no. However, you can leverage the privilege level command and hide certain configuration items from the user which should then also hide it from the running configuration for them.

Go to solution
Jeroen1001
Level 1
Level 1
In response to gbekmezi-DD

‎02-23-2018 02:31 AM

Hi George

I did find a way, I think. I'm going to test this next Wednesday. One can define an alias on the CPE and exclude items.

for instance: alias Test show run | exclude password|user|etc

Then you put config in ISE allowing a user to call only that alias.

I hope this will work out but I'll know soon enough.

0 Helpful
Customers Also Viewed These Support Documents