Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2971
Views
0
Helpful
5
Replies

User privileges

Andrea_83
Level 1
Level 1

‎03-20-2017 02:32 AM - edited ‎03-08-2019 09:49 AM

hello guys,

on my customer cpe i need to create a user for them with privilege 10 that can run the SHOW RUN command, how can i do that? I can not give a higher privilige level of 10 due  a company policy.

i tried with privilege exec level 10 show running-config command, but with this solution i can run show run but it do not show the running config informations :(

Thanks a lot,

Andrea

Labels:
0 Helpful
5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

‎03-20-2017 02:55 AM

Hi

maybe take a look at this doc

IOS Privilege Levels Cannot See Complete Running Configuration

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

0 Helpful

Andrea_83
Level 1
Level 1
In response to Mark Malone

‎03-20-2017 03:03 AM

Hello Mark,

thanks for the reply.

If i did understand well the document i should modify the privilege exec manually with everything i want to show, ie:

username six privilege 6 password 0 six


privilege exec level 6 interface

privilege exec level 6 snmp

privilege exec level 6 all router  

etc.... there is a faster way to mantein the same privileges of level 10 and have a full show run?

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Andrea_83

‎03-20-2017 03:23 AM

Yes looks like its by design you have to specify the commands for the privilege for them to use  

When access to the router is configured by privilege levels, a common issue is that the show running or write terminal commands are configured at or below the user's privilege level. When the user executes the command, the configuration appears to be blank. This is actually by design for these reasons:

  • The write terminal / show running-config command shows a blank configuration. This command displays all of the commands that the current user is able to modify (in other words, all the commands at or below the user's current privilege level). The command should not display commands above the user's current privilege level because of security considerations. If so, commands such as snmp-server community could be used to modify the current configuration of the router and gain complete access to the router.

0 Helpful

Andrea_83
Level 1
Level 1
In response to Mark Malone

‎03-20-2017 03:25 AM

ok, that's makes sense.

But there's no way to create a user, read-only, who can have a complete show run output?

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Andrea_83

‎03-20-2017 03:29 AM

I haven't tested this as we use ACS but could you not set the user as priv 3 or something low and then allow the show run command for that level ? instead of priv 10

This has better examples  

https://www.safaribooksonline.com/library/view/hardening-cisco-routers/0596001665/ch04s07.html

0 Helpful
Customers Also Viewed These Support Documents