Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----

Bruce,

You can do this to make "show configuration" a different security level
and then assign this level to your user. The second line must be there
or all show commands will become prive 10.

privilege exec level 10 show configuration
privilege exec level 1 show

username NON_ENABLED_USER privilege 10 password USER_PASSWORD


Actually, you could drop the priv of the command to 1 but then all users
would be able to see the config.

Matt

On Mon, 12 Aug 2002, Bruce Campbell wrote:

>
> Greetings,
>
> I'm wanting to allow a dedicated non-enabled user to be able to 'show
> conf' (run through all the routers and save the conf nightly). Is this
> possible via AAA (tacacs+)? ( the AAA overview on cco isn't that clear on
> whether this is possible or not)
>

__________________________ http://www.invision.net/ _______________________

Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104
Chief Technology Officer matt@invision.net (631) 864-8896 Fax
_______________________________________________________________________pgp_

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQEVAwUBPVftcGtXn16/JS7ZAQFU4AgAk5yZMPTmLJcqc/bF6vFQVxsSr6ZbBu7V
HamNvstyxTv4WI6/qcyA4cO/743MtLTs8uxjfYGBkhZHqw3hvAE/PUXGsNQPGQUA
iNuZCPTXXSCCaERFZKynOJkviCJacOs8tGhaiNY/Ldukk6PgU64lpb1Euhc5i7Sx
E/64QNXP3PGt6y2V7s4xKi9fnULrJMmZVG6F1cSEMtasdwH51ODAb/7vBLQzPb+I
noti2n0p2xRP5LgdNPe23lhWJS73Lh+bpP/LC2cS38w0jy0kzaiZkQ5CfE5i177z
KJr1/88BK6xhWpuMyhElzhu5hbeVOZplGHRnEiaI3Adoa2MOT7rXkA==
=+xXy
-----END PGP SIGNATURE-----

Use the privilege command to set the show running-config to another level.

Barry

At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:

>Greetings,
>
>I'm wanting to allow a dedicated non-enabled user to be able to 'show
>conf' (run through all the routers and save the conf nightly). Is this
>possible via AAA (tacacs+)? ( the AAA overview on cco isn't that clear on
>whether this is possible or not)
>
>--==--
>Bruce.
>
>_______________________________________________
>cisco-nsp mailing list real_name)s@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

just fyi...im 99% sure you cant do this for "sh run"...but i never tried for
"sh config".

joshd

----- Original Message -----
From: "Barry Bruins" <bbruins@cisco.com>
To: "Bruce Campbell" <bruce.campbell@ripe.net>; <cisco-nsp@puck.nether.net>
Sent: Monday, August 12, 2002 12:24 PM
Subject: Re: [nsp] enable commands as non-enable user?


> Use the privilege command to set the show running-config to another level.
>
> Barry
>
> At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
>
> >Greetings,
> >
> >I'm wanting to allow a dedicated non-enabled user to be able to 'show
> >conf' (run through all the routers and save the conf nightly). Is this
> >possible via AAA (tacacs+)? ( the AAA overview on cco isn't that clear
on
> >whether this is possible or not)
> >
> >--==--
> >Bruce.
> >
> >_______________________________________________
> >cisco-nsp mailing list real_name)s@puck.nether.net
> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>

Ughh. I'm embarrassed. You're right. It may require a TACACS+ server
in the mix.

Barry

At 01:06 PM 8/12/2002 -0500, Josh Duffek wrote:
>just fyi...im 99% sure you cant do this for "sh run"...but i never tried for
>"sh config".
>
>joshd
>
>----- Original Message -----
>From: "Barry Bruins" <bbruins@cisco.com>
>To: "Bruce Campbell" <bruce.campbell@ripe.net>; <cisco-nsp@puck.nether.net>
>Sent: Monday, August 12, 2002 12:24 PM
>Subject: Re: [nsp] enable commands as non-enable user?
>
>
>> Use the privilege command to set the show running-config to another level.
>>
>> Barry
>>
>> At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
>>
>> >Greetings,
>> >
>> >I'm wanting to allow a dedicated non-enabled user to be able to 'show
>> >conf' (run through all the routers and save the conf nightly). Is this
>> >possible via AAA (tacacs+)? ( the AAA overview on cco isn't that clear
>on
>> >whether this is possible or not)
>> >
>> >--==--
>> >Bruce.
>> >
>> >_______________________________________________
>> >cisco-nsp mailing list real_name)s@puck.nether.net
>> >http://puck.nether.net/mailman/listinfo/cisco-nsp
>> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>_______________________________________________
>cisco-nsp mailing list real_name)s@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

well the thing is...ios figures if you arent priveledged enough to change
the config, why should you get to look at it...did you try with "sh config"
and "sh run" or just one of em? (sorry i dont have time to test myself
right now)

joshd

----- Original Message -----
From: "Barry Bruins" <bbruins@cisco.com>
To: "Josh Duffek" <jduffek@cisco.com>; "Bruce Campbell"
<bruce.campbell@ripe.net>; <cisco-nsp@puck.nether.net>
Sent: Monday, August 12, 2002 1:44 PM
Subject: Re: [nsp] enable commands as non-enable user?


> Ughh. I'm embarrassed. You're right. It may require a TACACS+ server
> in the mix.
>
> Barry
>
> At 01:06 PM 8/12/2002 -0500, Josh Duffek wrote:
> >just fyi...im 99% sure you cant do this for "sh run"...but i never tried
for
> >"sh config".
> >
> >joshd
> >
> >----- Original Message -----
> >From: "Barry Bruins" <bbruins@cisco.com>
> >To: "Bruce Campbell" <bruce.campbell@ripe.net>;
<cisco-nsp@puck.nether.net>
> >Sent: Monday, August 12, 2002 12:24 PM
> >Subject: Re: [nsp] enable commands as non-enable user?
> >
> >
> >> Use the privilege command to set the show running-config to another
level.
> >>
> >> Barry
> >>
> >> At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
> >>
> >> >Greetings,
> >> >
> >> >I'm wanting to allow a dedicated non-enabled user to be able to 'show
> >> >conf' (run through all the routers and save the conf nightly). Is
this
> >> >possible via AAA (tacacs+)? ( the AAA overview on cco isn't that
clear
> >on
> >> >whether this is possible or not)
> >> >
> >> >--==--
> >> >Bruce.
> >> >
> >> >_______________________________________________
> >> >cisco-nsp mailing list real_name)s@puck.nether.net
> >> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >_______________________________________________
> >cisco-nsp mailing list real_name)s@puck.nether.net
> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

You can enable sh run for any privilege level .. the problem is that unless
the level also includes the ability to configure you'll only see a limited
running config ... ie. it shows you what you can actually do ... example:

gwy1-tor#sh run
Building configuration...

Current configuration : 155 bytes
!
! Last configuration change at 03:55:56 EST Sat Aug 3 2002 by jamesm
! NVRAM config last updated at 04:43:56 EST Mon Aug 12 2002 by stats
!
!
!
!
end

Not very usefull ... so the only choice is a "sh conf" where it reads the
nvram:startup-config file (basically more's the file). The caveat there is
that users had better be writing the config after all changes or some items
may be missed. I do what was suggested earlier and it works quite well ...
allow a priv level to show, show conf etc ... then put the level in teh
user/pass command. works nicely.

Jim

-----Original Message-----
From: Barry Bruins [mailto:bbruins@cisco.com]
Sent: Monday, August 12, 2002 2:44 PM
To: Josh Duffek; Bruce Campbell; cisco-nsp@puck.nether.net
Subject: Re: [nsp] enable commands as non-enable user?


Ughh. I'm embarrassed. You're right. It may require a TACACS+ server
in the mix.

Barry

At 01:06 PM 8/12/2002 -0500, Josh Duffek wrote:
>just fyi...im 99% sure you cant do this for "sh run"...but i never tried
for
>"sh config".
>
>joshd
>
>----- Original Message -----
>From: "Barry Bruins" <bbruins@cisco.com>
>To: "Bruce Campbell" <bruce.campbell@ripe.net>; <cisco-nsp@puck.nether.net>
>Sent: Monday, August 12, 2002 12:24 PM
>Subject: Re: [nsp] enable commands as non-enable user?
>
>
>> Use the privilege command to set the show running-config to another
level.
>>
>> Barry
>>
>> At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
>>
>> >Greetings,
>> >
>> >I'm wanting to allow a dedicated non-enabled user to be able to 'show
>> >conf' (run through all the routers and save the conf nightly). Is this
>> >possible via AAA (tacacs+)? ( the AAA overview on cco isn't that clear
>on
>> >whether this is possible or not)
>> >
>> >--==--
>> >Bruce.
>> >
>> >_______________________________________________
>> >cisco-nsp mailing list real_name)s@puck.nether.net
>> >http://puck.nether.net/mailman/listinfo/cisco-nsp
>> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>_______________________________________________
>cisco-nsp mailing list real_name)s@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

cool...so it works for "sh config" but not "sh run"....thanks for the
clarification.

jd

----- Original Message -----
From: "MacDonald, James" <James.MacDonald@attcanada.com>
To: <cisco-nsp@puck.nether.net>
Sent: Monday, August 12, 2002 2:05 PM
Subject: RE: [nsp] enable commands as non-enable user?


> You can enable sh run for any privilege level .. the problem is that
unless
> the level also includes the ability to configure you'll only see a limited
> running config ... ie. it shows you what you can actually do ... example:
>
> gwy1-tor#sh run
> Building configuration...
>
> Current configuration : 155 bytes
> !
> ! Last configuration change at 03:55:56 EST Sat Aug 3 2002 by jamesm
> ! NVRAM config last updated at 04:43:56 EST Mon Aug 12 2002 by stats
> !
> !
> !
> !
> end
>
> Not very usefull ... so the only choice is a "sh conf" where it reads the
> nvram:startup-config file (basically more's the file). The caveat there is
> that users had better be writing the config after all changes or some
items
> may be missed. I do what was suggested earlier and it works quite well ...
> allow a priv level to show, show conf etc ... then put the level in teh
> user/pass command. works nicely.
>
> Jim
>
> -----Original Message-----
> From: Barry Bruins [mailto:bbruins@cisco.com]
> Sent: Monday, August 12, 2002 2:44 PM
> To: Josh Duffek; Bruce Campbell; cisco-nsp@puck.nether.net
> Subject: Re: [nsp] enable commands as non-enable user?
>
>
> Ughh. I'm embarrassed. You're right. It may require a TACACS+ server
> in the mix.
>
> Barry
>
> At 01:06 PM 8/12/2002 -0500, Josh Duffek wrote:
> >just fyi...im 99% sure you cant do this for "sh run"...but i never tried
> for
> >"sh config".
> >
> >joshd
> >
> >----- Original Message -----
> >From: "Barry Bruins" <bbruins@cisco.com>
> >To: "Bruce Campbell" <bruce.campbell@ripe.net>;
<cisco-nsp@puck.nether.net>
> >Sent: Monday, August 12, 2002 12:24 PM
> >Subject: Re: [nsp] enable commands as non-enable user?
> >
> >
> >> Use the privilege command to set the show running-config to another
> level.
> >>
> >> Barry
> >>
> >> At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
> >>
> >> >Greetings,
> >> >
> >> >I'm wanting to allow a dedicated non-enabled user to be able to 'show
> >> >conf' (run through all the routers and save the conf nightly). Is
this
> >> >possible via AAA (tacacs+)? ( the AAA overview on cco isn't that
clear
> >on
> >> >whether this is possible or not)
> >> >
> >> >--==--
> >> >Bruce.
> >> >
> >> >_______________________________________________
> >> >cisco-nsp mailing list real_name)s@puck.nether.net
> >> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >_______________________________________________
> >cisco-nsp mailing list real_name)s@puck.nether.net
> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

It is very handy for Enterprises to be able to verify configurations from
their service providers even though they don't have the rights to make
changes (and shouldn't have the rights). I have used this capability
on behave of my clients many times to help prevent and straighten out
misunderstandings.


---Jon





"Josh Duffek" <jduffek@cisco.com>
Sent by: cisco-nsp-admin@puck.nether.net
08/12/02 03:02 PM


To: "Bruce Campbell" <bruce.campbell@ripe.net>, <cisco-nsp@puck.nether.net>,
"Barry Bruins" <bbruins@cisco.com>
cc:
Subject: Re: [nsp] enable commands as non-enable user?


well the thing is...ios figures if you arent priveledged enough to change
the config, why should you get to look at it...did you try with "sh
config"
and "sh run" or just one of em? (sorry i dont have time to test myself
right now)

joshd

----- Original Message -----
From: "Barry Bruins" <bbruins@cisco.com>
To: "Josh Duffek" <jduffek@cisco.com>; "Bruce Campbell"
<bruce.campbell@ripe.net>; <cisco-nsp@puck.nether.net>
Sent: Monday, August 12, 2002 1:44 PM
Subject: Re: [nsp] enable commands as non-enable user?


> Ughh. I'm embarrassed. You're right. It may require a TACACS+ server
> in the mix.
>
> Barry
>
> At 01:06 PM 8/12/2002 -0500, Josh Duffek wrote:
> >just fyi...im 99% sure you cant do this for "sh run"...but i never
tried
for
> >"sh config".
> >
> >joshd
> >
> >----- Original Message -----
> >From: "Barry Bruins" <bbruins@cisco.com>
> >To: "Bruce Campbell" <bruce.campbell@ripe.net>;
<cisco-nsp@puck.nether.net>
> >Sent: Monday, August 12, 2002 12:24 PM
> >Subject: Re: [nsp] enable commands as non-enable user?
> >
> >
> >> Use the privilege command to set the show running-config to another
level.
> >>
> >> Barry
> >>
> >> At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
> >>
> >> >Greetings,
> >> >
> >> >I'm wanting to allow a dedicated non-enabled user to be able to
'show
> >> >conf' (run through all the routers and save the conf nightly). Is
this
> >> >possible via AAA (tacacs+)? ( the AAA overview on cco isn't that
clear
> >on
> >> >whether this is possible or not)
> >> >
> >> >--==--
> >> >Bruce.
> >> >
> >> >_______________________________________________
> >> >cisco-nsp mailing list real_name)s@puck.nether.net
> >> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >_______________________________________________
> >cisco-nsp mailing list real_name)s@puck.nether.net
> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All:

username config privilege 5 password abcd
sh commands are
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
connect Open a terminal connection
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
mrinfo Request neighbor and version information from a
multicast router
mstat Show statistics after multiple multicast
traceroutes
mtrace Trace reverse multicast path from destination to
source
name-connection Name an existing network connection
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
resume Resume an active network connection
rlogin Open an rlogin connection
show Show running system information
slip Start Serial-line IP (SLIP)
systat Display information about terminal lines
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
tunnel Open a tunnel connection
udptn Open an udptn connection
where List active connections
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD

TEST#sh run
Building configuration...

Current configuration:
!
! Last configuration change at 15:53:42 EST Mon Aug 12 2002 by XXXXX
! NVRAM config last updated at 14:14:20 EST Mon Aug 12 2002 by XXXXX
!
!
!
!
end

HOWEVER:
Doing a sh startup dumps the the startup configuration.

==DMT>
- ----SIGNAURE-------
Douglas M. Todd, Jr.
CCNA, CCNP, CIT
Network Engineering
Partners Health Care
Building 149
149 13 Street
Charlestown, MA 02129-200
Tel: 617.726.1403
Email: dtodd@partners.org
- --------------------------------------------------------------------
PGP Finger Print: 9429 CAE3 B2D1 C2E1 DFBC E7A6 E90A 9BE5 C7B6 47BC
Key available via email.
Verisign S/N: 3ff65cdf58b9dceda004baeed49e16cf
https://digitalid.verisign.com/services/client/index.html

> -----Original Message-----
> From: Josh Duffek [mailto:jduffek@cisco.com]
> Sent: Monday, August 12, 2002 2:07 PM
> To: Bruce Campbell; cisco-nsp@puck.nether.net; Barry Bruins
> Subject: Re: [nsp] enable commands as non-enable user?
>
>
> just fyi...im 99% sure you cant do this for "sh run"...but i
> never tried for
> "sh config".
>
> joshd
>
> ----- Original Message -----
> From: "Barry Bruins" <bbruins@cisco.com>
> To: "Bruce Campbell" <bruce.campbell@ripe.net>;
> <cisco-nsp@puck.nether.net>
> Sent: Monday, August 12, 2002 12:24 PM
> Subject: Re: [nsp] enable commands as non-enable user?
>
>
> > Use the privilege command to set the show running-config to
> another level.
> >
> > Barry
> >
> > At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
> >
> > >Greetings,
> > >
> > >I'm wanting to allow a dedicated non-enabled user to be
> able to 'show
> > >conf' (run through all the routers and save the conf
> nightly). Is this
> > >possible via AAA (tacacs+)? ( the AAA overview on cco
> isn't that clear
> on
> > >whether this is possible or not)
> > >
> > >--==--
> > >Bruce.
> > >
> > >_______________________________________________
> > >cisco-nsp mailing list real_name)s@puck.nether.net
> > >http://puck.nether.net/mailman/listinfo/cisco-nsp
> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBPVgS3wgiZycqTvq3EQIFLACeOeREE/H2PZZjEP8YBX8leEonS4cAoItW
xXcVAnZ9vY1dzbxACH63n0jx
=n4D/
-----END PGP SIGNATURE-----