Solved: Create username to run only all show commands on Cisco Switches & Routers

Mohamed Lotfy · ‎02-12-2012

Dear all,

Please could you help me, i need to add a user account on the Core Switches to can do only all show commands?

I tried with command:

# username test privilege 14 password 123

I tried with privilege from (1 : 14) all of it are prevent the user to make (#conf t) and prevent the user to enter to the configuration mode, as i need.

But also with all this privilege the user still can't run #show running-conf.

Could you please advice me?

Mohamed

cadet alain · ‎02-12-2012

Hi,

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Dan-Ciprian Cicioiu · ‎02-12-2012

Hi Mohamed,

The thing with show running-config is that the user is allowed to see only those parts of the config that it is allowed to configure. So in your case none

I might try :

user test pass test

user test privilege 5

privilege configure all level 5 line

privilege configure all level 5 router

privilege configure all level 5 interface

privilege configure all level 5 ip

privilege configure all level 5 service

privilege exec level 5 show running-config

privilege exec level 5 show configuration

privilege exec level 5 show

You can add anythig that you want in the "privilege configure" in order to apear in show run of the user. A better solution I think that it'a tacacs authentication

Dan

View solution in original post

ebarticel · ‎02-12-2012

You can create views for different users as well.

aaa new-model

enable view -to enter root view

password: abcdef

parser view secadmin

secret 12345

You can specify each show command

or use

commands exec include all show

commands exec include show interfaces

commands exec include show ip interface brief

commands exec include configure terminal ......

Hope this helps

Eugen

View solution in original post

cadet alain · ‎02-12-2012

Hi,

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html

Regards.

Alain

Don't forget to rate helpful posts.

Dan-Ciprian Cicioiu · ‎02-12-2012

Hi Mohamed,

The thing with show running-config is that the user is allowed to see only those parts of the config that it is allowed to configure. So in your case none

I might try :

user test pass test

user test privilege 5

privilege configure all level 5 line

privilege configure all level 5 router

privilege configure all level 5 interface

privilege configure all level 5 ip

privilege configure all level 5 service

privilege exec level 5 show running-config

privilege exec level 5 show configuration

privilege exec level 5 show

You can add anythig that you want in the "privilege configure" in order to apear in show run of the user. A better solution I think that it'a tacacs authentication

Dan

ebarticel · ‎02-12-2012

You can create views for different users as well.

aaa new-model

enable view -to enter root view

password: abcdef

parser view secadmin

secret 12345

You can specify each show command

or use

commands exec include all show

commands exec include show interfaces

commands exec include show ip interface brief

commands exec include configure terminal ......

Hope this helps

Eugen

SUNDAY · ‎03-09-2018

You may want to run "show run view full" instead - it will work.