Re: read only access and need to protect all sensitive from Jay McMickle on 2013-02-16 (Ccielab archives 02/2013)

From: Jay McMickle <jay.mcmickle_at_yahoo.com>
Date: Sat, 16 Feb 2013 07:09:07 -0600

Agreed. Enable views is what you are looking for.

However, while this limits the commands they can run, if you give them sh run,
it will still show your line password 7's. You shouldn't be running enable
pass on your routers, so I can only imagine you are concerned with the line
passwords.

Why not remove the line passwords and point to Local, Radius, or TACACS and
you won't have those passwords to be seen?

No enable pass
Enable secret ...
!
aaa new-model
username Cisco priv 15 pass Cisco
!
aaa auth login default.....
Line con 0
Login auth local
line vty 0 15
Login auth local

Then enable your views. (enable view)
And set the username login rights, etc.

I'm going from memory here, so the syntax might be a little off, but you get
the point.

Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5
Support me to fight MS!
http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
rsonal&fr_id=20226

On Feb 15, 2013, at 11:35 PM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:

> If you want to give only read only access to the entire active config, then
> perhaps you can use views. It doesnt need an external server and will
surely
> meet your requirements,
>
>
>
> ________________________________
> From: Imran Ali
> <immrccie_at_gmail.com>
> To: Cisco certification <ccielab_at_groupstudy.com>
> Sent:
> Saturday, February 16, 2013 10:27 AM
> Subject: read only access and need to
> protect all sensitive passwords
>
> Hi all,
>
> i need to give read only access
> of my routers to an audit team .
>
> i have no issue setting up a radius
> server to throug a exec level 7
> .... which i customised on the router
> to allow only show
>
> Privelege exec all level 7 show . i found that
> he cant view
> routing config using " regular show run '' but with can view
> last saved
> config with show sartup-config.
>
> the issue is my radius server
> and their is no option to specify
> type 5 md5 strong password .
>
> i am
> ending up with showing my Radius key ..... as type 7 can be
> easily de
> crepted .
>
> ......i also tried service password encryption..but it is
> again
> using type 7 ...
>
>
>
> Any chance of saving from over shoulder readng
> attack ?
>
>
> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 16 2013 - 07:09:07 ART

This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 07:57:58 ART