Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
0
Helpful
5
Replies

Switch management

shansfeldt
Frequent Visitor
Frequent Visitor

‎10-07-2009 10:04 AM

Hi,

I need to configure read-only user to a Cisco 2960 switch. They want to see the config.

How can I hide enable password in config from the read-only users.

The encrypted password is not enough.

Labels:
0 Helpful
5 Replies 5

Joe Clarke
Cisco Employee
Cisco Employee

‎10-07-2009 11:36 AM

What version of code is running on the switch?

0 Helpful

shansfeldt
Frequent Visitor
Frequent Visitor
In response to Joe Clarke

‎10-07-2009 11:12 PM

Hi,

The version is :

(C2960-LANBASEK9-M), Version 12.2(50)SE

Cisco 2960-24TT-L

Best Regards

Magnus

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to shansfeldt

‎10-08-2009 08:42 AM

You can use the Embedded Event Manager to post-process the configuration, and filter out passwords. I actually had another user ask for this, so I developed this Tcl policy to filter out passwords and community strings. Of course, to actually limit them to certain commands (i.e. prevent them from entering config t mode, you would need to use other policies, or AAA command authorization).

To register this EEM policy, create a directory on flash like flash:/policies. Copy the script into this directory. Then configure:

event manager directory user policy flash:/policies

event manager policy cl_show_run.tcl

Now execute "show running-config". You'll notice the password fields are missing. Now execute "write term". You'll see the passwords show up. So, in AAA, limit your read-only user to only being able to run "show run", and they will not be able to see passwords.

14973-cl_show_run.tcl
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎10-07-2009 01:04 PM

DO a "sh tech" and cut out the bottom bit.

0 Helpful

shansfeldt
Frequent Visitor
Frequent Visitor
In response to Leo Laohoo

‎10-08-2009 03:49 AM

Hi,

No, the users want to login to the switch as read-only and then run "sh config".

They want to see the config, but I don't want them to see the password, even if it is encrypted.

If I do a config like below, they can do a show tech-support.

The problem here is that the config is not there.

aaa new-model

username xxxx privilege 2 password xxxx

aaa authorization exec default local

privilege exec level 2 sh tech

Thanks for your time!

Best Regards

Magnus

0 Helpful
Customers Also Viewed These Support Documents