10-04-2014 03:21 AM - edited 03-04-2019 11:53 PM
hi guys
I've recently encounter a problem in defining privilege level on Cisco 3925 router.
I have defined a root user before with full permission(privilege level 15) but now I wanna define a new user with more restricted permission, but I'wanna let the new user to check the running-config.
here is my configuration:
R3925(config)#username admin privilege 10 secret 4 04CP9hzO5lEnKMbmI1Hi/2DbIkLZMrIH/BfUOrdBL62
R3925(config)#privilege exec level 10 show running-config
R3925(config)#privilege exec all level 10 show running-config
But everytime I login with "admin" user I can not check running-config, the CLI doesn't turn back any error but I can not see anything.
R3925#show running-config
R3925#
11-20-2014 09:07 AM
Hello,
Only to say you that Cisco IOS privileges are configured in such a way that a user with no permission to configure, any with level below 15, cannot see the configuration. I mean, if you cannot configure sthing, you cannot see it. This document explains it:
http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00800949d5.shtml
There are a lot of cases like this one:
https://supportforums.cisco.com/discussion/9865061/privilege-command-show-run-does-not-show-running-config
and more.
Bye.
11-20-2014 04:06 PM
There isn't an easy way to get "show run" to work on any other privilege level. An easier way is to go this route:
ciscorouter(config)# privilege exec all level 3 show running-config ciscorouter# show running-config view full
Thank you for rating helpful posts!
11-25-2014 01:05 AM
Hello Neno,
Thank you for your answer but I have tried what you have said and it does not run. I only have been able to configure:
ciscorouter(config)# privilege exec level 3 show running-config
In fact, I can create views, but if I access any view different from root view, I cant execute next command:
ciscorouter# show running-config view full
So the result is I cannot see the configuration without permission from level 15.
Thank you anyway!
11-25-2014 06:39 PM
Hello Aurora. I just tested this again and it works just fine. In your configuration example though you are missing a key word "all" from your syntax.
You have:
privilege exec level 3 show running-config
But you need:
privilege exec all level 3 show running-config
Give that a try and let me know if it is still not working.
Thank you for rating helpful posts!
11-27-2014 12:51 PM
Hi Neno,
Thank you for answer me again and trying it. I can't introduce "all" in the command and I can't execute
show running-config view full
from any view except from the root view.
In conclusion, I can't see all the conf except being root or priv level 15 user.
Could you send me the rest of configuration, just if you want?
Anyway, thanks again. I suppose it will run but not in my case.
11-28-2014 03:11 PM
What version of code are you running? I tested this in my 3560 switch and a 1921 router and I definitely have the "all" option:
NS-1921(config)#privilege exec ?
all All suboption will be set to the samelevel
level Set privilege level of command
reset Reset privilege level of command
The "all" keyword is needed so that the sub-option commands will be set to the same privilege level.
Here is what I did to test this:
aaa new-model > > > This is a mandatory command for aaa related commands
username level3 privilege 3 password level3 > > > This is my priv-level-3 test account
privilege exec all level 3 show running-config > > > Needed for the "level3" user to be able to execute the "show run view full"
Finally to test with the user:
NS-3560c-01#show privilege Current privilege level is 3
^ Shows my privilege level
NS-3560c-01#config t ^ % Invalid input detected at '^' marker.
^ Confirms that I cannot get to the "Global Configuration Mode"
NS-3560c-01#sh run view full Building configuration... Current configuration : 8191 bytes ! ! Last configuration change at 14:59:26 PST Fri Nov 28 2014 by admin ! NVRAM config last updated at 14:54:44 PST Fri Nov 28 2014 by admin ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname NS-3560c-01 ! boot-start-marker boot-end-marker ! logging buffered informational logging console warnings ! username admin privilege 15 secret 5 ***** username level3 privilege 3 password 7 060A0A3749425A no aaa new-model clock timezone PST -8 0 clock summer-time PST recurring system mtu routing 1500 no ip source-route ip routing ip dhcp excluded-address ****** ip dhcp excluded-address ****** ip dhcp excluded-address ****** ! ip dhcp pool 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server ***** 4.2.2.2 8.8.8.8 lease 7 ! ip dhcp pool 1 network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 8.8.8.8 4.2.2.2 ! ip dhcp pool 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 8.8.8.8 4.2.2.2 ! !
^ Confirms that I can run the "show run view full" command (Some output was cut out)
What does your config look like? Follow my steps above and paste the output.
Thank you for rating helpful posts!
12-03-2014 01:22 AM
Hello Neno,
I had not seen your answer before, sorry. My version is 12.1(22)EA11, with crypto features. The thing is I can't execute:
Planta5_5(config)#privilege exec all level3 show running-config
^
% Invalid input detected at '^' marker.
The rest, creating a new user for level3 or any level, ok, with aaa activated, but not possible to execute "all".
That is my issue, and so I can't see all the conf.
Planta5_5#sh privi
Current privilege level is 3
Planta5_5#sh run
Building configuration...
Current configuration : 83 bytes
!
! Last configuration change at 09:18:59 UTC Wed Dec 3 2014 by admin
!
!
!
!
end
Thank you anyway!!! I will try in future equipment with other versions.
12-03-2014 02:09 PM
No worries. I would definitely start with upgrading the code. I have tested with both 12.2.x and 15.x
10-23-2018 07:52 AM - edited 10-23-2018 08:17 AM
I have the same issue in IOS 15.x - tried the below but no joy. Also tried adding priv interface level 5 interface commands.
Privilege exec level 5 show running-config view full
Can't seem to display any running config under the priv level
config below
privilege interface level 5 ip address
privilege interface all level 5 ip
privilege interface all level 5 description
privilege configure level 5 interface
privilege exec level 5 traceroute
privilege exec level 5 ping
privilege exec level 5 undebug isdn q931
privilege exec level 5 undebug isdn
privilege exec level 5 undebug
privilege exec level 5 terminal monitor
privilege exec level 5 terminal
privilege exec level 5 show isdn status
privilege exec level 5 show isdn
privilege exec level 5 show version
privilege exec level 5 show logging
privilege exec level 5 show running-config view full
privilege exec level 5 show running-config view
privilege exec level 5 show running-config
privilege exec level 5 show
privilege exec level 5 no debug isdn q931
privilege exec level 5 no debug isdn
privilege exec level 5 no debug
privilege exec level 5 debug isdn q931
privilege exec level 5 debug isdn
privilege exec level 5 debug
10-23-2018 07:58 AM
Hello,
I think you need to type:
show running-config view full
to see the config...
10-23-2018 08:16 AM
Typo in my post*
I had written show running-config view full
No joy!
10-23-2018 08:19 AM
Hello,
what I mean is, after entering the privileges, you have to type:
Router#show running-config view full
to actually see the config...
08-15-2019 04:39 PM
Try adding this command on global config.
file privilege 5
Hope it helps.
01-22-2019 02:28 PM
I face the same problem lots of times practicing with Packet Tracer as well as in the CCNA exam 200-125. I complained about the problem with Cisco and they replied everything was right. They told me I have to work more on it where I am lacking, but I am not satisfied with the answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide