Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Switch management

Hi,

I need to configure read-only user to a Cisco 2960 switch. They want to see the config.

How can I hide enable password in config from the read-only users.

The encrypted password is not enough.

5 REPLIES
Cisco Employee

Re: Switch management

What version of code is running on the switch?

New Member

Re: Switch management

Hi,

The version is :

(C2960-LANBASEK9-M), Version 12.2(50)SE

Cisco 2960-24TT-L

Best Regards

Magnus

Cisco Employee

Re: Switch management

You can use the Embedded Event Manager to post-process the configuration, and filter out passwords. I actually had another user ask for this, so I developed this Tcl policy to filter out passwords and community strings. Of course, to actually limit them to certain commands (i.e. prevent them from entering config t mode, you would need to use other policies, or AAA command authorization).

To register this EEM policy, create a directory on flash like flash:/policies. Copy the script into this directory. Then configure:

event manager directory user policy flash:/policies

event manager policy cl_show_run.tcl

Now execute "show running-config". You'll notice the password fields are missing. Now execute "write term". You'll see the passwords show up. So, in AAA, limit your read-only user to only being able to run "show run", and they will not be able to see passwords.

Hall of Fame Super Gold

Re: Switch management

DO a "sh tech" and cut out the bottom bit.

New Member

Re: Switch management

Hi,

No, the users want to login to the switch as read-only and then run "sh config".

They want to see the config, but I don't want them to see the password, even if it is encrypted.

If I do a config like below, they can do a show tech-support.

The problem here is that the config is not there.

aaa new-model

username xxxx privilege 2 password xxxx

aaa authorization exec default local

privilege exec level 2 sh tech

Thanks for your time!

Best Regards

Magnus

147
Views
0
Helpful
5
Replies
CreatePlease to create content