Re: read only access and need to protect all sensitive

Another easy way is to use EEM when show running is issued and parse the
entire running config through eem so that when ever it encounters line
containing password, it will simply skip it.
________________________________
 From: Jay McMickle <jay.mcmickle_at_yahoo.com>
To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
Cc: Imran Ali <immrccie_at_gmail.com>;
"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
Sent: Saturday, February
16, 2013 6:09 PM
Subject: Re: read only access and need to protect all
sensitive passwords
 
Agreed. Enable views is what you are looking for.
However, while this limits the commands they can run, if you give them sh run,
it will still show your line password 7's. You shouldn't be running enable
pass on your routers, so I can only imagine you are concerned with the line
passwords.

Why not remove the line passwords and point to Local, Radius, or
TACACS and
you won't have those passwords to be seen?

No enable pass
Enable
secret ...
!
aaa new-model
username Cisco priv 15 pass Cisco
!
aaa auth login
default.....
Line con 0
Login auth local
line vty 0 15
Login auth local

Then
enable your views. (enable view)
And set the username login rights, etc.

I'm
going from memory here, so the syntax might be a little off, but you get
the
point.

Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5
Support
me to fight MS!
http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
rsonal&fr_id=20226

On Feb 15, 2013, at 11:35 PM, Ovais Iqbal
<ovais.iqball_at_yahoo.com> wrote:

> If you want to give only read only access
to the entire active config, then
> perhaps you can use views. It doesnt need
an external server and will
surely
> meet your requirements,
>
>
>
>
________________________________
> From: Imran Ali
> <immrccie_at_gmail.com>
>
To: Cisco certification <ccielab_at_groupstudy.com>
> Sent:
> Saturday, February
16, 2013 10:27 AM
> Subject: read only access and need to
> protect all
sensitive passwords
>
> Hi all,
>
> i need to give read only access
> of my
routers to an audit team .
>
> i have no issue setting up a radius
>
server to throug a exec level 7
> .... which i customised on the router
> to allow only show
>
> Privelege exec all level 7 show . i found
that
> he cant view
> routing config using " regular show run '' but with
can view
> last saved
> config with show sartup-config.
>
> the issue is my
radius server
> and their is no option to specify
> type 5 md5 strong
password .
>
> i am
> ending up with showing my Radius key ..... as type
7 can be
> easily de
> crepted .
>
> ......i also tried service
password encryption..but it is
> again
> using type 7 ...
>
>
>
> Any
chance of saving from over shoulder readng
> attack ?
>
>
> Blogs and
organic groups at http://www.ccie.net
>
Received on Sat Feb 16 2013 - 07:34:48 ART