cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2530
Views
0
Helpful
8
Replies

priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

rnolden
Level 1
Level 1

i want to build a local user (no TACACS!)

that is able to make all show commands (with for example "sh run") but isn't able to make "conf t"

so this user can only read but not write !!!

What Priviledge is needed for this user?

Do i need "priviledge exec ..." commands?

thanks for hints (URL->CCO, Config, some else)

8 Replies 8

pompeychimes
Level 4
Level 4

One way...

username joe password blow

username joe priv 15 autocommand show running

i tested it:

ROUTER>sh priv

Current privilege level is 1

ROUTER>

(I expected a level of 15)

and i don't see any Output

(of the "sh run" autocommand)

something wrong with me?

Do you have aaa configured? If not use at least the following to test this...

aaa new-model

aaa authentication login default local

aaa authorization exec default local

works.

but with the autocommand there is always a directly disconnect !

i tried a new user with priv 14:

(username test privilege 14 password ..)

there is no uoutput in "sh run "

(you see only the interfaces)

is it a requirement that i have priv15 for "sh run "

Ralf

One of the things about manipulating privilege levels is that to protect the integrity of the configuration IOS will not show anything in show run that you do not have the ability to change. So if you do not permit config t (and therefore do not have the ability to change anything) what you get in show run is essentially an empty config - showing only things like the interfaces (as you mention).

I find it odd that IOS does not apply the same restriction to the output of show start.

HTH

Rick

HTH

Rick

use ACS - great product!

Actually it's not that odd.  "show run" was built for the configuration purposes.  It allows you to see the changes to the configuration as you are making them.  In contrast, "show start" allows you to see the static/saved configuration which is much better suited to read-only users.  When you look at it this way, it is actually a pretty clean separation "tool wise" of read-only and configuration duties.  Hope this helps.

johnlloyd_13
Level 9
Level 9
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco