09-10-2024 07:23 AM
Hi all,
Is there a way to have a read-only user that can run show tech on IOS--XE devices?
Running versions are 17.9.5 on Cat9300s and and 17.9.4a on ISR4k's.
We have an audit run by a third party and they need a readonly access but also need to run show tech.
I've added the following configs so far. "aaa new-model" is enabled, but we use local accounts for various reasons.
I was under the impression that by adding enable secret for level 1 would allow priv level 1 user to run the command allowed in the "priv exec level 1 xxx" statement, but it wouldn't run. Only enable secret it accepts is the level 15 one which allows "conf t" etc which we don't want.
Any ideas?
Many thanks,
Configs added so far:
###add user account with priviledge level 1###
!
conf t
username readonly priv 1 secret *********************
end
!
###allow show tech###
!
conf t
privilege exec level 1 show tech-support
end
!
###add level 1 enable password###
!
conf t
enable secret level 1 ***********
end
!
09-10-2024 08:34 AM
- That is not possible only a 'full admin' can issue show tech also and possibly related
to lots of sensitive information becoming available ,
M.
09-10-2024 08:39 AM
Thanks @marce1000
So after further testing it would appear that priv level 2 and above would allow "show tech unprivileged" if we allow it with the "privilege exec level n xxxxx" command".
The third party have not confirmed what level they need yet, so I'll see if he/she is happy with "show tech unprivileged".
09-10-2024 08:56 AM
>...so I'll see if he/she is happy with "show tech unprivileged".
- Possibly , but I presume with that version they will not get the full output ,
M.
09-10-2024 03:10 PM
I do not have a lot of experience with IOS-XE but this is a lesson I learned on IOS and I suspect that also applies to IOS-XE: I had a customer who wanted members of the network support team to be able to use show run, but not to be able to change anything. I set up the parameters in the config so that users with privilege greater than 1 and less than 15 could execute show run command. When we tested the result we found that yes those users could execute the command and receive output. But when we examined the output we found that any parameter that could be dynamically configured was suppressed. The only thing in our output were the immutable parameters.
09-10-2024 03:53 PM
Hello
@marce1000 wrote:- That is not possible only a 'full admin' can issue show tech also and possibly related
to lots of sensitive information becoming available
FYI it is possible, you just need to specify the parent of the command you wish to run, so to allow or deny the more specific commands below it.
09-10-2024 08:39 AM
09-10-2024 08:42 AM
Note:- never use show tech without specify one protocol or service, if you run show tech without specfiy then device could freeze
MHM
09-10-2024 08:54 AM
>...if you run show tech without specfiy then device could freeze
@MHM Cisco World EUh , Hmmm...
09-10-2024 08:45 AM
i've seen your other response suggesting the RBAC, but I believe this requires AAA to be configured? Unfrotunately we don't have AAA configured.
Thanks anyway though.
09-10-2024 03:49 PM
Hello
you need to add any parent to allow sub commands
example
enable algorithm-type sha256 secret xxx
privilege exec level 1 show
privilege exec level 1 show tech-support
privilege exec level 1 show tech-support dhcpv4
end
exit
Router>show tech-support unprivileged dhcpv4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide