Re: read only access and need to protect all sensitive

I agree with views as well as with Jay. Get rid of your line passwords and
use tacacs/local for the lines. Use enable secret over enable password and
do the same for all of your locally defined users as well.

username cisco privilege x secret cisco

HTH

On Saturday, February 16, 2013, Jay McMickle wrote:

> Agreed. Enable views is what you are looking for.
>
> However, while this limits the commands they can run, if you give them sh
> run,
> it will still show your line password 7's. You shouldn't be running enable
> pass on your routers, so I can only imagine you are concerned with the line
> passwords.
>
> Why not remove the line passwords and point to Local, Radius, or TACACS and
> you won't have those passwords to be seen?
>
> No enable pass
> Enable secret ...
> !
> aaa new-model
> username Cisco priv 15 pass Cisco
> !
> aaa auth login default.....
> Line con 0
> Login auth local
> line vty 0 15
> Login auth local
>
> Then enable your views. (enable view)
> And set the username login rights, etc.
>
> I'm going from memory here, so the syntax might be a little off, but you
> get
> the point.
>
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
> Support me to fight MS!
>
> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
> rsonal&fr_id=20226
>
>
> On Feb 15, 2013, at 11:35 PM, Ovais Iqbal <ovais.iqball_at_yahoo.com<javascript:;>>
> wrote:
>
> > If you want to give only read only access to the entire active config,
> then
> > perhaps you can use views. It doesnt need an external server and will
> surely
> > meet your requirements,
> >
> >
> >
> > ________________________________
> > From: Imran Ali
> > <immrccie_at_gmail.com <javascript:;>>
> > To: Cisco certification <ccielab_at_groupstudy.com <javascript:;>>
> > Sent:
> > Saturday, February 16, 2013 10:27 AM
> > Subject: read only access and need to
> > protect all sensitive passwords
> >
> > Hi all,
> >
> > i need to give read only access
> > of my routers to an audit team .
> >
> > i have no issue setting up a radius
> > server to throug a exec level 7
> > .... which i customised on the router
> > to allow only show
> >
> > Privelege exec all level 7 show . i found that
> > he cant view
> > routing config using " regular show run '' but with can view
> > last saved
> > config with show sartup-config.
> >
> > the issue is my radius server
> > and their is no option to specify
> > type 5 md5 strong password .
> >
> > i am
> > ending up with showing my Radius key ..... as type 7 can be
> > easily de
> > crepted .
> >
> > ......i also tried service password encryption..but it is
> > again
> > using type 7 ...
> >
> >
> >
> > Any chance of saving from over shoulder readng
> > attack ?
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Thanks,
Steve Di Bias- CCIE #32840
Blogs and organic groups at http://www.ccie.net