10-07-2009 10:04 AM
Hi,
I need to configure read-only user to a Cisco 2960 switch. They want to see the config.
How can I hide enable password in config from the read-only users.
The encrypted password is not enough.
10-07-2009 11:36 AM
What version of code is running on the switch?
10-07-2009 11:12 PM
Hi,
The version is :
(C2960-LANBASEK9-M), Version 12.2(50)SE
Cisco 2960-24TT-L
Best Regards
Magnus
10-08-2009 08:42 AM
You can use the Embedded Event Manager to post-process the configuration, and filter out passwords. I actually had another user ask for this, so I developed this Tcl policy to filter out passwords and community strings. Of course, to actually limit them to certain commands (i.e. prevent them from entering config t mode, you would need to use other policies, or AAA command authorization).
To register this EEM policy, create a directory on flash like flash:/policies. Copy the script into this directory. Then configure:
event manager directory user policy flash:/policies
event manager policy cl_show_run.tcl
Now execute "show running-config". You'll notice the password fields are missing. Now execute "write term". You'll see the passwords show up. So, in AAA, limit your read-only user to only being able to run "show run", and they will not be able to see passwords.
10-07-2009 01:04 PM
DO a "sh tech" and cut out the bottom bit.
10-08-2009 03:49 AM
Hi,
No, the users want to login to the switch as read-only and then run "sh config".
They want to see the config, but I don't want them to see the password, even if it is encrypted.
If I do a config like below, they can do a show tech-support.
The problem here is that the config is not there.
aaa new-model
username xxxx privilege 2 password xxxx
aaa authorization exec default local
privilege exec level 2 sh tech
Thanks for your time!
Best Regards
Magnus
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: