cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
410
Views
5
Helpful
10
Replies

Read-only access and run show tech on IOS-XE devices

atsukane
Level 1
Level 1

Hi all,

Is there a way to have a read-only user that can run show tech on IOS--XE devices? 

Running versions are 17.9.5 on Cat9300s and and 17.9.4a on ISR4k's.

We have an audit run by a third party and they need a readonly access but also need to run show tech.

I've added the following configs so far. "aaa new-model" is enabled, but we use local accounts for various reasons.

I was under the impression that by adding enable secret for level 1 would allow priv level 1 user to run the command allowed in the "priv exec level 1 xxx" statement, but it wouldn't run. Only enable secret it accepts is the level 15 one which allows "conf t" etc which we don't want.

Any ideas?

Many thanks,

Configs added so far:

###add user account with priviledge level 1###
!
conf t
username readonly priv 1 secret *********************
end
!

###allow show tech###
!
conf t
privilege exec level 1 show tech-support
end
!

###add level 1 enable password###
!
conf t
enable secret level 1 ***********
end
!

 

 

10 Replies 10

marce1000
VIP
VIP

 

 - That is not possible only a 'full admin' can issue show tech also and possibly related
    to lots of sensitive information becoming available ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thanks @marce1000 

So after further testing it would appear that priv level 2 and above would allow "show tech unprivileged" if we allow it with the  "privilege exec level n xxxxx" command". 

The third party have not confirmed what level they need yet, so I'll see if he/she is happy with "show tech unprivileged".

 

 

       >...so I'll see if he/she is happy with "show tech unprivileged".
  - Possibly , but I presume with that version they will not get the full output , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

I do not have a lot of experience with IOS-XE but this is a lesson I learned on IOS and I suspect that also applies to IOS-XE: I had a customer who wanted members of the network support team to be able to use show run, but not to be able to change anything. I set up the parameters in the config so that users with privilege greater than 1 and less than 15 could execute show run command. When we tested the result we found that yes those users could execute the command and receive output. But when we examined the output we found that any parameter that could be dynamically configured was suppressed. The only thing in our output were the immutable parameters.

HTH

Rick

Hello


@marce1000 wrote:

 - That is not possible only a 'full admin' can issue show tech also and possibly related
    to lots of sensitive information becoming available 


FYI it is possible, you just need to specify the parent of the command you wish to run, so to allow or deny the more specific commands below it.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Start learning cybersecurity with CBT Nuggets. https://courses.cbt.gg/security In this video, Keith Barker covers Parser Views for Role Based Access Control (RBAC). Think of Parser Views as a filter that only allows users to see a particular "view," which is defined by their permission levels ...

Note:- never use show tech without specify one protocol or service, if you run show tech without specfiy then device could freeze

MHM

 

      >...if you run show tech without specfiy then device could freeze

              @MHM Cisco World       EUh , Hmmm...



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

i've seen your other response suggesting the RBAC, but I believe this requires AAA to be configured? Unfrotunately we don't have AAA configured.

Thanks anyway though.

Hello
you need to add any parent to allow sub commands

example
enable algorithm-type sha256 secret xxx
privilege exec level 1 show
privilege exec level 1 show tech-support
privilege exec level 1 show tech-support dhcpv4
end
exit

Router>show tech-support unprivileged dhcpv4


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card