RE: Command Authorization for show run

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Oct 14 2004 - 16:21:39 GMT-3

• Next message: Kenneth Wygand: "Multicast - Simulating Large-Scale Deployments"
• Previous message: Church, Chuck: "RE: Command Authorization for show run"
• Maybe in reply to: Church, Chuck: "RE: Command Authorization for show run"
• Next in thread: Kevork Belian: "RE: Command Authorization for show run"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You can only view configuration for options that you are allowed to
change. Take the following example with local authorization:

R1>show privilege
Current privilege level is 1
R1>show run
         ^
% Invalid input detected at '^' marker.

R1>en
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#privilege exec level 1 show run
R1(config)#end
R1#disable
R1>
*Mar 1 15:39:09.744: %SYS-5-CONFIG_I: Configured from console by
console
R1>show run
Building configuration...

Current configuration : 17 bytes
!
!
!
!
!
!
end

R1>enable
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#privilege configure level 1 interface
R1(config)#end
R1#disable
*Mar 1 15:39:26.011: %SYS-5-CONFIG_I: Configured from console by
console
R1>show run
Building configuration...

Current configuration : 85 bytes
!
!
!
!
!
interface Ethernet0/0
!
interface Serial0/0
!
interface Serial0/1
!
!
end

R1>en
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#privilege interface level 1 ip address
R1(config)#end
R1#disable
R1>
*Mar 1 15:40:26.642: %SYS-5-CONFIG_I: Configured from console by
console
R1>show run
Building configuration...

Current configuration : 130 bytes
!
!
!
!
!
interface Ethernet0/0
 no ip address
!
interface Serial0/0
 no ip address
!
interface Serial0/1
 no ip address
!
!
end

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Church, Chuck
> Sent: Thursday, October 14, 2004 2:04 PM
> To: JD Plant; CCIE Security Mailing List
> Cc: ccielab@groupstudy.com
> Subject: RE: Command Authorization for show run
>
> It's not a bug. I believe it had something to do with the fact that a
> router doesn't keep the running config in memory to show when needed.
> When you do a 'sh run', it actually parses through all the various
> interface, router, etc data structures, and builds it. This behind
the
> scenes work seems to require level 15 access itself. I don't remember
> if there was a work around or not. Maybe someone on the list will
> remember the fix, if it exists...
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch@netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> JD Plant
> Sent: Thursday, October 14, 2004 2:17 PM
> To: CCIE Security Mailing List
> Subject: Command Authorization for show run
>
> Hey all,
>
> I have noticed strange behavior every time i've used command
> authorization to allow the show run command. Everything works great
> with all the other commands at the same level.
>
> The commands are configured properly for the per user command
> authorization.
>
> The show run command even executes successfully. The problem is the
> output is empty, nothing but exclamation marks. I don't know if this
> is a bug in command auth or what. Config and command output below:
>
> R7#show run
> Building configuration...
>
> Current configuration : 13 bytes
> !
> !
> !
> !
> end
> R7#
>
> **CONFIGURATION SNIPPET***
> aaa new-model
> aaa authentication login vty group tacacs+ local
> aaa authorization exec vty group tacacs+ local
> aaa authorization commands 1 vty group tacacs+ if-authenticated
> aaa authorization commands 5 vty group tacacs+ if-authenticated
> aaa accounting exec vty start-stop group tacacs
> aaa accounting commands 1 vty start-stop group tacacs
> aaa accounting commands 5 vty start-stop group tacacs
>
> tacacs-server host 175.1.2.3 key cisco
>
> user lab7-telnet privilege 5 password cisco
>
> line vty 0 4
> login authentication vty
> authori exec vty
> authorization commands 1 vty
> authorization commands 5 vty
> accounting exec vty
> accounting commands 1 vty
> accounting commands 5 vty
>
> privilege exec level 5 show running-config
> privilege exec level 5 ping
>
>

• Next message: Kenneth Wygand: "Multicast - Simulating Large-Scale Deployments"
• Previous message: Church, Chuck: "RE: Command Authorization for show run"
• Maybe in reply to: Church, Chuck: "RE: Command Authorization for show run"
• Next in thread: Kevork Belian: "RE: Command Authorization for show run"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:48 GMT-3