Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Read-only access (hide a portion of the config)

Is there a way to alloww read-only access to only a portion of the config.  I have customers who are requesting read-only access, but i don't want them seeing portions of the config. 

Any help or suggestions would be greatly appreciated.  Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Read-only access (hide a portion of the config)

If they have an enable level login they will be able to see the whole configuration (absent encrypted passwords assuming you're using service password-encryption).

You can make logins more granular and prevent customers from having, say, the ability to execute arbitrary commands such as "show run". You could, for instance setup a given user to only be alllowed to execute "show interface status" etc. NX-OS has this ability pretty much 'baked-in'. For IOS-based systems, a bit more work is required.

Here is a guide for how to do it if you use TACACS for AAA:

https://supportforums.cisco.com/docs/DOC-15765

If you're using local authentication, you can do similar things using either privilege levels or cli views:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

http://www.networkworld.com/community/node/57553

Hope this helps.

3 REPLIES
Hall of Fame Super Silver

Read-only access (hide a portion of the config)

If they have an enable level login they will be able to see the whole configuration (absent encrypted passwords assuming you're using service password-encryption).

You can make logins more granular and prevent customers from having, say, the ability to execute arbitrary commands such as "show run". You could, for instance setup a given user to only be alllowed to execute "show interface status" etc. NX-OS has this ability pretty much 'baked-in'. For IOS-based systems, a bit more work is required.

Here is a guide for how to do it if you use TACACS for AAA:

https://supportforums.cisco.com/docs/DOC-15765

If you're using local authentication, you can do similar things using either privilege levels or cli views:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

http://www.networkworld.com/community/node/57553

Hope this helps.

New Member

Read-only access (hide a portion of the config)

Marvin,

Thanks for your excellent response.  I have been racking my brain as how to do this and have not even thought about going this route.  This is awesome.  Thanks a million.

Regards,

Dwayne

Hall of Fame Super Silver

Read-only access (hide a portion of the config)

You're welcome, Dwayne. Thanks for the rating.

723
Views
0
Helpful
3
Replies
CreatePlease login to create content