Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
0
Helpful
3
Replies

Read-only access (hide a portion of the config)

Go to solution
dphills18
Level 1
Level 1

‎12-27-2011 10:51 AM - edited ‎03-09-2019 11:45 PM

Is there a way to alloww read-only access to only a portion of the config.  I have customers who are requesting read-only access, but i don't want them seeing portions of the config. 

Any help or suggestions would be greatly appreciated.  Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-27-2011 12:58 PM

If they have an enable level login they will be able to see the whole configuration (absent encrypted passwords assuming you're using service password-encryption).

You can make logins more granular and prevent customers from having, say, the ability to execute arbitrary commands such as "show run". You could, for instance setup a given user to only be alllowed to execute "show interface status" etc. NX-OS has this ability pretty much 'baked-in'. For IOS-based systems, a bit more work is required.

Here is a guide for how to do it if you use TACACS for AAA:

https://supportforums.cisco.com/docs/DOC-15765

If you're using local authentication, you can do similar things using either privilege levels or cli views:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

http://www.networkworld.com/community/node/57553

Hope this helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-27-2011 12:58 PM

If they have an enable level login they will be able to see the whole configuration (absent encrypted passwords assuming you're using service password-encryption).

You can make logins more granular and prevent customers from having, say, the ability to execute arbitrary commands such as "show run". You could, for instance setup a given user to only be alllowed to execute "show interface status" etc. NX-OS has this ability pretty much 'baked-in'. For IOS-based systems, a bit more work is required.

Here is a guide for how to do it if you use TACACS for AAA:

https://supportforums.cisco.com/docs/DOC-15765

If you're using local authentication, you can do similar things using either privilege levels or cli views:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

http://www.networkworld.com/community/node/57553

Hope this helps.

0 Helpful

Go to solution
dphills18
Level 1
Level 1
In response to Marvin Rhoads

‎12-27-2011 01:17 PM

Marvin,

Thanks for your excellent response.  I have been racking my brain as how to do this and have not even thought about going this route.  This is awesome.  Thanks a million.

Regards,

Dwayne

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dphills18

‎12-27-2011 01:25 PM

You're welcome, Dwayne. Thanks for the rating.

0 Helpful
Customers Also Viewed These Support Documents