Preventing display of certain items in running config
Not sure if anyone has run in to this before, but I am trying to figure out a way to prevent certain items in the running config from displaying.
Here is the situation that I am dealing with:
Using ACS v3.3 to authenticate engineers on network devices, primarily switches. At the same time there is a local username/password for local switch authentication in case of network/ACS unavailability. I am trying to prevent other individuals from viewing the hashed local username/password (since it can be decrypted in seconds) and add or modify existing local users on the network devices. At the same time, I would like those network engineers to be able to view other parts of the running or startup configs and make changes.
Re: Preventing display of certain items in running config
I am aware of the different privilege levels available in the IOS. However, for successful troubleshooting and command verification before final copy run start, I have to allow others to view the running or startup configs; so I can not deny "show run" in the ACS.
At the same time anyone who can view the configuration can decrypt the local password using tools like Cain & Abel or readily available websites.
Have you heard of any other workarounds for this problem?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...