1. Home
  2. Cisco Systems
  3. Restrict access to Cisco device

Restrict access to Cisco device

Hello everyone.

I have a new Network Admin that we just want to give read only access to our network devices. I've tried setting this command to make privilege two to only be able to do show run.

privilege exec level 2 Show running-config full

for some reason when i do the show run in privilege level 2 is only show

2960-Sterling-21680-10#show run Building configuration...

Current configuration : 149 bytes ! ! Last configuration change at 14:29:13 UTC Tue Nov 7 2006 by sman ! NVRAM config last updated at 14:31:56 UTC Tue Nov 7 2006 by sman ! ! ! ! end

how can i get this user to look at all of the config?

Thank you.

Reply to
sodethman
Loading thread data ...

If you allow them to look at the full running-config then you are allowing them to look at the passwords, some of which are kept in plaintext and some of which are encoded. The older password encoding is known to be easily invertable (if you find the right program), but the newer password encoding has no publically known decoding algorithm.

For example, if you give them read access to the full configuration then they will be able to see the SNMP write community strings; if you have not locked down SNMP access thoroughly, then they could use SNMP to trigger the tftp in of a new encoded enable password, do whatever they wanted, and set it back before it was missed.

In short, Don't Do That. Either only give them access to portions of the configuration, or else go ahead and give them a write password and appropriate instructions and set whatever monitoring you feel you need.

Reply to
Walter Roberson

Thank you for your reply. We don't really care if he can do all that stuff, with hacking the password because we know he don't really know how, he's just learing IOS. We will eventually give him access it's just we don't really want him to accidently kill any of our gear. Is there a command i can use so he can just look at the full running-config?

Thank you.

Walter Robers> >

Reply to
sodethman

Reply to
tippenring

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.