Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

'Show running-config' to show like 'Show tech-support' output

Hello,

I was wondering if there was a command (perhaps hidden in IOS) that would allow the output of 'show running-config' to hide the passwords and SNMP Community strings, much like when you do a 'show tech-support' command? I am trying to limit what a client sees (using a TACACS+ Server) and I would like to just give them an alternate command that would achieve this goal. Any clue?

Thanks,

neocec

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 'Show running-config' to show like 'Show tech-support' outpu

a. Unfortunately no. You can use 'service password-encryption' to encrypt your passwords. This way your passwords are not in cleartext.

b. You can then enable privilege levels to different users and restrict access to what commands a user can run. For e.g a user cannot run 'show tech' or 'show run' at all.

c. But this way, you can either show the output of a command completely, or restrict access to the command completely. We cannot selectively show parts of an output differently to different users.

d. You can also explore using SNMPv3. SNMPv3 protocol provides a security model defining new concepts to replace the old community-based pseudo-authentication and provide  communication privacy by means of encryption.

Sid Chandrachud

TAC Security Solutions

Customer support engineer.

2 REPLIES
Cisco Employee

Re: 'Show running-config' to show like 'Show tech-support' outpu

a. Unfortunately no. You can use 'service password-encryption' to encrypt your passwords. This way your passwords are not in cleartext.

b. You can then enable privilege levels to different users and restrict access to what commands a user can run. For e.g a user cannot run 'show tech' or 'show run' at all.

c. But this way, you can either show the output of a command completely, or restrict access to the command completely. We cannot selectively show parts of an output differently to different users.

d. You can also explore using SNMPv3. SNMPv3 protocol provides a security model defining new concepts to replace the old community-based pseudo-authentication and provide  communication privacy by means of encryption.

Sid Chandrachud

TAC Security Solutions

Customer support engineer.

Re: 'Show running-config' to show like 'Show tech-support' outpu

Thank you Siddarth for the answer to my questions, and thank you for giving me alternative options. I truly hope it's something they implement in the future because the feature is already there, Cisco just needs to make a special command for it.

Thanks again,

neocec

1539
Views
5
Helpful
2
Replies
CreatePlease to create content