Re: read only access and need to protect all sensitive

Use RANCID, if will do that natively. I've used RANCID output in audits before. They'll get code versions and sanitized configs.

Sent from handheld.

On Feb 16, 2013, at 12:33 PM, "Steve Di Bias" <sdibias_at_gmail.com> wrote:

> NM I re-read the post. OP was talking about the RADIUS key. That's what I
> get for responding without having my morning dose of caffeine! Carry on
>
> Thanks,
> Steve Di Bias- CCIE #32840
>
>
> On Sat, Feb 16, 2013 at 9:22 AM, Steve Di Bias <sdibias_at_gmail.com> wrote:
>
>> While these *other* methods are creative, I still think the best idea is
>> to remove the type 7's entirely. This may not be possible in time for your
>> audit, but as a long term goal I highly recommend it.
>>
>> Thanks,
>> Steve Di Bias- CCIE #32840
>>
>>
>> On Sat, Feb 16, 2013 at 7:46 AM, Jay McMickle <jay.mcmickle_at_yahoo.com>wrote:
>>
>>> That's interesting. I guess you could also add an alias for them that
>>> excludes
>>> the password 7 and the alias. You could still use enable view with only
>>> this
>>> alias/macro available to them.
>>>
>>> Regards,
>>> Jay McMickle- CCIE #35355 (RS)
>>> Sent from my iPhone 5
>>> Support me to fight MS!
>>>
>>> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
>>> rsonal&fr_id=20226<http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=personal&fr_id=20226>
>>>
>>>
>>> On Feb 16, 2013, at 9:34 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>>>
>>>> Another easy way is to use EEM when show running is issued and parse the
>>> entire running config through eem so that when ever it encounters line
>>> containing password, it will simply skip it.
>>>>
>>>>
>>>> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
>>>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>>>> Cc: Imran Ali <immrccie_at_gmail.com>; "ccielab_at_groupstudy.com"
>>> <ccielab_at_groupstudy.com>
>>>> Sent: Saturday, February 16, 2013 6:09 PM
>>>> Subject: Re: read only access and need to protect all sensitive
>>> passwords
>>>>
>>>> Agreed. Enable views is what you are looking for.
>>>>
>>>> However, while this limits the commands they can run, if you give them
>>> sh
>>> run,
>>>> it will still show your line password 7's. You shouldn't be running
>>> enable
>>>> pass on your routers, so I can only imagine you are concerned with the
>>> line
>>>> passwords.
>>>>
>>>> Why not remove the line passwords and point to Local, Radius, or TACACS
>>> and
>>>> you won't have those passwords to be seen?
>>>>
>>>> No enable pass
>>>> Enable secret ...
>>>> !
>>>> aaa new-model
>>>> username Cisco priv 15 pass Cisco
>>>> !
>>>> aaa auth login default.....
>>>> Line con 0
>>>> Login auth local
>>>> line vty 0 15
>>>> Login auth local
>>>>
>>>> Then enable your views. (enable view)
>>>> And set the username login rights, etc.
>>>>
>>>> I'm going from memory here, so the syntax might be a little off, but you
>>> get
>>>> the point.
>>>>
>>>> Regards,
>>>> Jay McMickle- CCIE #35355 (RS)
>>>> Sent from my iPhone 5
>>>> Support me to fight MS!
>>>
>>> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
>>>> rsonal&fr_id=20226
>>>>
>>>>
>>>> On Feb 15, 2013, at 11:35 PM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
>>> wrote:
>>>>
>>>>> If you want to give only read only access to the entire active config,
>>> then
>>>>> perhaps you can use views. It doesnt need an external server and will
>>>> surely
>>>>> meet your requirements,
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>> From: Imran Ali
>>>>> <immrccie_at_gmail.com>
>>>>> To: Cisco certification <ccielab_at_groupstudy.com>
>>>>> Sent:
>>>>> Saturday, February 16, 2013 10:27 AM
>>>>> Subject: read only access and need to
>>>>> protect all sensitive passwords
>>>>>
>>>>> Hi all,
>>>>>
>>>>> i need to give read only access
>>>>> of my routers to an audit team .
>>>>>
>>>>> i have no issue setting up a radius
>>>>> server to throug a exec level 7
>>>>> .... which i customised on the router
>>>>> to allow only show
>>>>>
>>>>> Privelege exec all level 7 show . i found that
>>>>> he cant view
>>>>> routing config using " regular show run '' but with can view
>>>>> last saved
>>>>> config with show sartup-config.
>>>>>
>>>>> the issue is my radius server
>>>>> and their is no option to specify
>>>>> type 5 md5 strong password .
>>>>>
>>>>> i am
>>>>> ending up with showing my Radius key ..... as type 7 can be
>>>>> easily de
>>>>> crepted .
>>>>>
>>>>> ......i also tried service password encryption..but it is
>>>>> again
>>>>> using type 7 ...
>>>>>
>>>>>
>>>>>
>>>>> Any chance of saving from over shoulder readng
>>>>> attack ?
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 16 2013 - 17:45:26 ART