Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
4
Helpful
6
Replies

Custom privilege level for Show Run command does not give full output

iguidroz
Level 1
Level 1

‎02-19-2024 01:36 PM

I need to create a read only custom privilege level for an automated service acct that can execute the show run and show tech commands. I used privilege level 2 for the radius authentication and have the below commands set on my test switch. I am able to execute the show run command, but only see a few lines of output.

IOS Privilege Levels Cannot See Complete Running Configuration - Cisco

After reading up on this, I see several people running into the same situation where it appears that the show run command will not give output on any parameter that the current account does not have access to configure. This would mean that there is not an option to create a read only account. I have re-read this document a few times and believe that I must certainly be missing something here. 

 

Priv-2 commands

  • privilege exec level 2 show running-config
  • privilege exec level 2 show tech

 

Labels:
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎02-19-2024 01:46 PM

Did you try 

Role-Based Access Control (RBAC)?

This can solve your issue.

MHM

iguidroz
Level 1
Level 1
In response to MHM Cisco World

‎02-20-2024 06:41 AM

I have not, I will give this a shot today. Thank you for the suggestion!

liviu.gheorghe
Spotlight
Spotlight

‎02-19-2024 01:49 PM

Hello @iguidroz ,

what you are describing is normal behaviour with privilege exec commands in IOS. Look at the additional details at the end of the linked document you provided.

One way of doing things is to move all commands the level2 user needs to see in show running output on privilege exec level 2.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

iguidroz
Level 1
Level 1
In response to liviu.gheorghe

‎02-20-2024 07:07 AM

Thanks for the response!

That is what I was afraid of. I do not want to allow write access for commands in order to do this. I am in a high security environment and the account is in use by an automated service that needs to view the entire running config. It is interesting to me that Cisco has this restricted view of the running config, due to "security reasons", but allows view of the entire startup config. Sounds like a bug rebranded as a feature to me.

0 Helpful

liviu.gheorghe
Spotlight
Spotlight
In response to iguidroz

‎02-20-2024 07:21 AM

I don't think it's a question of a bug. it's more a question of history. I know this feature has been around in this form for more than 20 years. Back then security wasn't as important as it is today, at least for a vast majority of customers.

In this case, what @MHM Cisco World suggested could be a better solution. I haven't used it in any implementation, so I cannot say for sure if it's a right fit for you, but it's worth a shot.

Regards, LG
*** Please Rate All Helpful Responses ***

iguidroz
Level 1
Level 1
In response to liviu.gheorghe

‎02-20-2024 07:34 AM

Ahh that makes more sense. I am looking into the RBAC solution now.

0 Helpful
Customers Also Viewed These Support Documents