Switch management

Unanswered Question
Oct 7th, 2009


I need to configure read-only user to a Cisco 2960 switch. They want to see the config.

How can I hide enable password in config from the read-only users.

The encrypted password is not enough.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shansfeldt Wed, 10/07/2009 - 23:12


The version is :

(C2960-LANBASEK9-M), Version 12.2(50)SE

Cisco 2960-24TT-L

Best Regards


Joe Clarke Thu, 10/08/2009 - 08:42

You can use the Embedded Event Manager to post-process the configuration, and filter out passwords. I actually had another user ask for this, so I developed this Tcl policy to filter out passwords and community strings. Of course, to actually limit them to certain commands (i.e. prevent them from entering config t mode, you would need to use other policies, or AAA command authorization).

To register this EEM policy, create a directory on flash like flash:/policies. Copy the script into this directory. Then configure:

event manager directory user policy flash:/policies

event manager policy cl_show_run.tcl

Now execute "show running-config". You'll notice the password fields are missing. Now execute "write term". You'll see the passwords show up. So, in AAA, limit your read-only user to only being able to run "show run", and they will not be able to see passwords.

shansfeldt Thu, 10/08/2009 - 03:49


No, the users want to login to the switch as read-only and then run "sh config".

They want to see the config, but I don't want them to see the password, even if it is encrypted.

If I do a config like below, they can do a show tech-support.

The problem here is that the config is not there.

aaa new-model

username xxxx privilege 2 password xxxx

aaa authorization exec default local

privilege exec level 2 sh tech

Thanks for your time!

Best Regards



This Discussion