Preventing display of certain items in running config

vlad.kabatov · ‎09-19-2007

Not sure if anyone has run in to this before, but I am trying to figure out a way to prevent certain items in the running config from displaying.

Here is the situation that I am dealing with:

Using ACS v3.3 to authenticate engineers on network devices, primarily switches. At the same time there is a local username/password for local switch authentication in case of network/ACS unavailability. I am trying to prevent other individuals from viewing the hashed local username/password (since it can be decrypted in seconds) and add or modify existing local users on the network devices. At the same time, I would like those network engineers to be able to view other parts of the running or startup configs and make changes.

Thanks.

Jagdeep Gambhir · ‎09-19-2007

Hi,

You would need set up command authorization in acs. By this you can set up what all commands the specific user can issue.

This is how you do it. Only possible with tacacs.

IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

C. Define user/group level command authorization

**NOTE: The syntax of the commands specified MUST be exact and IS case sensitive. Also

note that the router will complete commands like "config t" and send the completed command

to ACS so the complete command must be entered into the "Command:" field (i.e. configure)

and the complete argument must be entered into the arguments field (i.e. terminal) in ACS.

1. Drop down to "Shell Command Authorization Set"

2. Place the radio button in "Per User/Group Command Authorization"

3. Choose Permit or Deny for "Unmatched Cisco IOS Commands"

(This field determines that any command NOT specified in the "Command"

box below will be permitted or denied)

4. Place a check in the "Command:" box and specify the command to be permitted or

denied.

5. If you wish to specify arguments for the command, enter the arguments to be permitted

or denied line by line in the "Arguments:" field. The syntax for this is "permit/deny

argument" (i.e. permit terminal)

6. Place the radio button for "Unlisted Arguments" in either permit or deny.

(This works the same way as the "Unmatched Cisco IOS Commands" radio button above).

Note that if you have no arguments specified, choosing "Permit" will permit the command

and choosing "Deny" will deny the command.

7. Click Submit or (Submit+Restart in group setup). At this time a new, blank command authorization set section will appear so you can repeat the process above with a new

command if necessary.

Find attached the example for denying enable access.

Regards,

~JG

Please rate the helpful posts

vlad.kabatov · ‎09-19-2007

I am aware of the different privilege levels available in the IOS. However, for successful troubleshooting and command verification before final copy run start, I have to allow others to view the running or startup configs; so I can not deny "show run" in the ACS.

At the same time anyone who can view the configuration can decrypt the local password using tools like Cain & Abel or readily available websites.

Have you heard of any other workarounds for this problem?

Jagdeep Gambhir · ‎09-19-2007

I dont think it is possible with tacacs. Check this link, it seems to be possible using local priv

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml