Re: read only access and need to protect all sensitive

That's interesting. I guess you could also add an alias for them that excludes
the password 7 and the alias. You could still use enable view with only this
alias/macro available to them.

Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5
Support me to fight MS!
http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
rsonal&fr_id=20226

On Feb 16, 2013, at 9:34 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:

> Another easy way is to use EEM when show running is issued and parse the
entire running config through eem so that when ever it encounters line
containing password, it will simply skip it.
>
>
> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> Cc: Imran Ali <immrccie_at_gmail.com>; "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
> Sent: Saturday, February 16, 2013 6:09 PM
> Subject: Re: read only access and need to protect all sensitive passwords
>
> Agreed. Enable views is what you are looking for.
>
> However, while this limits the commands they can run, if you give them sh
run,
> it will still show your line password 7's. You shouldn't be running enable
> pass on your routers, so I can only imagine you are concerned with the line
> passwords.
>
> Why not remove the line passwords and point to Local, Radius, or TACACS and
> you won't have those passwords to be seen?
>
> No enable pass
> Enable secret ...
> !
> aaa new-model
> username Cisco priv 15 pass Cisco
> !
> aaa auth login default.....
> Line con 0
> Login auth local
> line vty 0 15
> Login auth local
>
> Then enable your views. (enable view)
> And set the username login rights, etc.
>
> I'm going from memory here, so the syntax might be a little off, but you
get
> the point.
>
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
> Support me to fight MS!
>
http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
> rsonal&fr_id=20226
>
>
> On Feb 15, 2013, at 11:35 PM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>
> > If you want to give only read only access to the entire active config,
then
> > perhaps you can use views. It doesnt need an external server and will
> surely
> > meet your requirements,
> >
> >
> >
> > ________________________________
> > From: Imran Ali
> > <immrccie_at_gmail.com>
> > To: Cisco certification <ccielab_at_groupstudy.com>
> > Sent:
> > Saturday, February 16, 2013 10:27 AM
> > Subject: read only access and need to
> > protect all sensitive passwords
> >
> > Hi all,
> >
> > i need to give read only access
> > of my routers to an audit team .
> >
> > i have no issue setting up a radius
> > server to throug a exec level 7
> > .... which i customised on the router
> > to allow only show
> >
> > Privelege exec all level 7 show . i found that
> > he cant view
> > routing config using " regular show run '' but with can view
> > last saved
> > config with show sartup-config.
> >
> > the issue is my radius server
> > and their is no option to specify
> > type 5 md5 strong password .
> >
> > i am
> > ending up with showing my Radius key ..... as type 7 can be
> > easily de
> > crepted .
> >
> > ......i also tried service password encryption..but it is
> > again
> > using type 7 ...
> >
> >
> >
> > Any chance of saving from over shoulder readng
> > attack ?
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 16 2013 - 09:46:39 ART