Re: read only access and need to protect all sensitive from Steve Di Bias on 2013-02-16 (Ccielab archives 02/2013)

From: Steve Di Bias <sdibias_at_gmail.com>
Date: Sat, 16 Feb 2013 09:31:55 -0800

NM I re-read the post. OP was talking about the RADIUS key. That's what I
get for responding without having my morning dose of caffeine! Carry on

Thanks,
Steve Di Bias- CCIE #32840

On Sat, Feb 16, 2013 at 9:22 AM, Steve Di Bias <sdibias_at_gmail.com> wrote:

> While these *other* methods are creative, I still think the best idea is
> to remove the type 7's entirely. This may not be possible in time for your
> audit, but as a long term goal I highly recommend it.
>
> Thanks,
> Steve Di Bias- CCIE #32840
>
>
> On Sat, Feb 16, 2013 at 7:46 AM, Jay McMickle <jay.mcmickle_at_yahoo.com>wrote:
>
>> That's interesting. I guess you could also add an alias for them that
>> excludes
>> the password 7 and the alias. You could still use enable view with only
>> this
>> alias/macro available to them.
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (RS)
>> Sent from my iPhone 5
>> Support me to fight MS!
>>
>> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
>> rsonal&fr_id=20226<http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=personal&fr_id=20226>
>>
>>
>> On Feb 16, 2013, at 9:34 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>>
>> > Another easy way is to use EEM when show running is issued and parse the
>> entire running config through eem so that when ever it encounters line
>> containing password, it will simply skip it.
>> >
>> >
>> > From: Jay McMickle <jay.mcmickle_at_yahoo.com>
>> > To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>> > Cc: Imran Ali <immrccie_at_gmail.com>; "ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>
>> > Sent: Saturday, February 16, 2013 6:09 PM
>> > Subject: Re: read only access and need to protect all sensitive
>> passwords
>> >
>> > Agreed. Enable views is what you are looking for.
>> >
>> > However, while this limits the commands they can run, if you give them
>> sh
>> run,
>> > it will still show your line password 7's. You shouldn't be running
>> enable
>> > pass on your routers, so I can only imagine you are concerned with the
>> line
>> > passwords.
>> >
>> > Why not remove the line passwords and point to Local, Radius, or TACACS
>> and
>> > you won't have those passwords to be seen?
>> >
>> > No enable pass
>> > Enable secret ...
>> > !
>> > aaa new-model
>> > username Cisco priv 15 pass Cisco
>> > !
>> > aaa auth login default.....
>> > Line con 0
>> > Login auth local
>> > line vty 0 15
>> > Login auth local
>> >
>> > Then enable your views. (enable view)
>> > And set the username login rights, etc.
>> >
>> > I'm going from memory here, so the syntax might be a little off, but you
>> get
>> > the point.
>> >
>> > Regards,
>> > Jay McMickle- CCIE #35355 (RS)
>> > Sent from my iPhone 5
>> > Support me to fight MS!
>> >
>>
>> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
>> > rsonal&fr_id=20226
>> >
>> >
>> > On Feb 15, 2013, at 11:35 PM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
>> wrote:
>> >
>> > > If you want to give only read only access to the entire active config,
>> then
>> > > perhaps you can use views. It doesnt need an external server and will
>> > surely
>> > > meet your requirements,
>> > >
>> > >
>> > >
>> > > ________________________________
>> > > From: Imran Ali
>> > > <immrccie_at_gmail.com>
>> > > To: Cisco certification <ccielab_at_groupstudy.com>
>> > > Sent:
>> > > Saturday, February 16, 2013 10:27 AM
>> > > Subject: read only access and need to
>> > > protect all sensitive passwords
>> > >
>> > > Hi all,
>> > >
>> > > i need to give read only access
>> > > of my routers to an audit team .
>> > >
>> > > i have no issue setting up a radius
>> > > server to throug a exec level 7
>> > > .... which i customised on the router
>> > > to allow only show
>> > >
>> > > Privelege exec all level 7 show . i found that
>> > > he cant view
>> > > routing config using " regular show run '' but with can view
>> > > last saved
>> > > config with show sartup-config.
>> > >
>> > > the issue is my radius server
>> > > and their is no option to specify
>> > > type 5 md5 strong password .
>> > >
>> > > i am
>> > > ending up with showing my Radius key ..... as type 7 can be
>> > > easily de
>> > > crepted .
>> > >
>> > > ......i also tried service password encryption..but it is
>> > > again
>> > > using type 7 ...
>> > >
>> > >
>> > >
>> > > Any chance of saving from over shoulder readng
>> > > attack ?
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 16 2013 - 09:31:55 ART

This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 07:57:58 ART