I was wondering if there was a command (perhaps hidden in IOS) that would allow the output of 'show running-config' to hide the passwords and SNMP Community strings, much like when you do a 'show tech-support' command? I am trying to limit what a client sees (using a TACACS+ Server) and I would like to just give them an alternate command that would achieve this goal. Any clue?
a. Unfortunately no. You can use 'service password-encryption' to encrypt your passwords. This way your passwords are not in cleartext.
b. You can then enable privilege levels to different users and restrict access to what commands a user can run. For e.g a user cannot run 'show tech' or 'show run' at all.
c. But this way, you can either show the output of a command completely, or restrict access to the command completely. We cannot selectively show parts of an output differently to different users.
d. You can also explore using SNMPv3. SNMPv3 protocol provides a security model defining new concepts to replace the old community-based pseudo-authentication and provide communication privacy by means of encryption.
TAC Security Solutions
Customer support engineer.