Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

i want to build a local user (no TACACS!)

that is able to make all show commands (with for example "sh run") but isn't able to make "conf t"

so this user can only read but not write !!!

What Priviledge is needed for this user?

Do i need "priviledge exec ..." commands?

thanks for hints (URL->CCO, Config, some else)

8 REPLIES

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

One way...

username joe password blow

username joe priv 15 autocommand show running

New Member

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

i tested it:

ROUTER>sh priv

Current privilege level is 1

ROUTER>

(I expected a level of 15)

and i don't see any Output

(of the "sh run" autocommand)

something wrong with me?

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

Do you have aaa configured? If not use at least the following to test this...

aaa new-model

aaa authentication login default local

aaa authorization exec default local

New Member

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

works.

but with the autocommand there is always a directly disconnect !

i tried a new user with priv 14:

(username test privilege 14 password ..)

there is no uoutput in "sh run "

(you see only the interfaces)

is it a requirement that i have priv15 for "sh run "

Hall of Fame Super Silver

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

Ralf

One of the things about manipulating privilege levels is that to protect the integrity of the configuration IOS will not show anything in show run that you do not have the ability to change. So if you do not permit config t (and therefore do not have the ability to change anything) what you get in show run is essentially an empty config - showing only things like the interfaces (as you mention).

I find it odd that IOS does not apply the same restriction to the output of show start.

HTH

Rick

New Member

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

use ACS - great product!

New Member

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

Actually it's not that odd.  "show run" was built for the configuration purposes.  It allows you to see the changes to the configuration as you are making them.  In contrast, "show start" allows you to see the static/saved configuration which is much better suited to read-only users.  When you look at it this way, it is actually a pretty clean separation "tool wise" of read-only and configuration duties.  Hope this helps.

Re: priviledge for "sh run" but no "conf t" (READ:YES/WRITE:NO)

662
Views
0
Helpful
8
Replies
CreatePlease to create content