Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
2
Helpful
8
Replies

IOS/IOS XE privilege level for show running-config only Version 17.x

MATTHIAS SCHAERER
Level 3
Level 3

‎11-01-2023 05:11 AM

Hi

I have read a lot about having different privilege levels configured with username/privilege commands. When I try to achieve this (in my case on an ASR920/V17.6.5) for a user that needs the ability to do show run (but not necessarily conf t) I do not see any output in any way I tweak the config when issuing the "show run"-command. I see that the command is accepted, but no output is displayed.

Does anybody have a RUNNING configuration on V17.x and is willing to share the secret ingredients that a config must have in order to get my request running? I have seen in the past that this has worked the way many descriptions in the web indicate, but I guess this must have been before V17.

Here's my current config:

test-router#sh run | i aaa
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
test-router#sh run | i privi
username test privilege 6 secret 9 <omitted>
privilege exec level 6 configure terminal
privilege exec level 6 configure
privilege exec level 6 show running-config
privilege exec level 6 show

test-router#ssh -l test 172.20.20.20
Password:

test-router#sh priv
Current privilege level is 6
test-router#sh run
test-router#sh running-config
test-router#sh interface
GigabitEthernet0/0/0 is administratively down, line protocol is down
Hardware is 12xGE-4x10GE-FIXED, address is 34ed.1b90.2580 (bia 34ed.1b90.2580)
Description: tbd
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1000Mbps, link type is auto, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 packets output, 0 bytes, 0 underruns

test-router#
test-router#
test-router#sh run
test-router#sh running-config
test-router#

1 person had this problem
Labels:
8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

‎11-01-2023 08:32 AM

I do not have experience with that platform or that version of code. So I can not speak directly to your issue. But in general my experience is that when you use privilege levels and restrict what the user can change that show run shows only elements that the user can change (so if a user can not change anything then show run shows nothing).

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎11-19-2023 01:50 AM

Is this is issue solved or not? 

0 Helpful

MATTHIAS SCHAERER
Level 3
Level 3
In response to MHM Cisco World

‎11-19-2023 02:48 AM

No, not really. I asked explicitly for running configuration with V17. The way I understand Richard's answer I'd have to allow all configure statements but my tests have shown that this does not change anything concerning the empty output. I have the suspicion that older versions may have behaved differently than V17 and that's basically why I have asked that way. Maybe I have not made myself clear enough.

0 Helpful

MHM Cisco World
VIP
VIP
In response to MATTHIAS SCHAERER

‎11-19-2023 03:01 AM

you need user1 have previlige X
and user2 have previlige Y
is that what you ask for ?

0 Helpful

MATTHIAS SCHAERER
Level 3
Level 3
In response to MHM Cisco World

‎11-19-2023 03:30 AM

There is privilege 1 for "show only" and privilege 15 for "do everything" as default in IOS and IOS XE. I often have the requirement to have have a user in between that has "show only" plus "show running-config", but no right to configure anything. This user may be the customer that wants to control the work of the service partner, it might be workflows for engineers that should be able to look at the config but are not allowed to execute the config or the user with privilege in-between might be used by backup tools that run with SCP or SSH.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to MATTHIAS SCHAERER

‎11-20-2023 06:12 AM

Thanks for the clarification. It may be that V17 does act differently. Unfortunately I do not have expertise with V17 and can not offer any good advice. I hope someone else in the community can join in with advice. Do you have a service contract? Is Cisco TAC an option?

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP
In response to MATTHIAS SCHAERER

‎11-20-2023 06:43 AM

Can I see the config of vty you use to access 

0 Helpful

MATTHIAS SCHAERER
Level 3
Level 3

‎11-21-2023 06:14 AM

@richard: Sorry, currently no possibility to contact TAC for that matter.
@MHM Cisco World: my test equipment has been moved out recently. I have to see whether I can set up a new environment.

Customers Also Viewed These Support Documents