07-03-2009 05:10 AM - edited 03-12-2019 04:53 PM
i want to build a local user (no TACACS!)
that is able to make all show commands (with for example "sh run") but isn't able to make "conf t"
so this user can only read but not write !!!
What Priviledge is needed for this user?
Do i need "priviledge exec ..." commands?
thanks for hints (URL->CCO, Config, some else)
07-03-2009 07:41 AM
One way...
username joe password blow
username joe priv 15 autocommand show running
07-03-2009 08:43 AM
i tested it:
ROUTER>sh priv
Current privilege level is 1
ROUTER>
(I expected a level of 15)
and i don't see any Output
(of the "sh run" autocommand)
something wrong with me?
07-03-2009 09:51 AM
Do you have aaa configured? If not use at least the following to test this...
aaa new-model
aaa authentication login default local
aaa authorization exec default local
07-09-2009 01:05 AM
works.
but with the autocommand there is always a directly disconnect !
i tried a new user with priv 14:
(username test privilege 14 password ..)
there is no uoutput in "sh run "
(you see only the interfaces)
is it a requirement that i have priv15 for "sh run "
07-09-2009 03:10 AM
Ralf
One of the things about manipulating privilege levels is that to protect the integrity of the configuration IOS will not show anything in show run that you do not have the ability to change. So if you do not permit config t (and therefore do not have the ability to change anything) what you get in show run is essentially an empty config - showing only things like the interfaces (as you mention).
I find it odd that IOS does not apply the same restriction to the output of show start.
HTH
Rick
07-09-2009 05:47 AM
use ACS - great product!
04-16-2010 02:47 PM
Actually it's not that odd. "show run" was built for the configuration purposes. It allows you to see the changes to the configuration as you are making them. In contrast, "show start" allows you to see the static/saved configuration which is much better suited to read-only users. When you look at it this way, it is actually a pretty clean separation "tool wise" of read-only and configuration duties. Hope this helps.
07-09-2009 06:10 AM
you can do the IOS role-based CLI access:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_role_base_cli.html#wp1048442
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide