[nsp] enable commands as non-enable user?

MacDonald, James James.MacDonald@attcanada.com
Mon, 12 Aug 2002 13:05:58 -0600


You can enable sh run for any privilege level .. the problem is that unless
the level also includes the ability to configure you'll only see a limited
running config ... ie. it shows you what you can actually do ... example:

gwy1-tor#sh run
Building configuration...

Current configuration : 155 bytes
!
! Last configuration change at 03:55:56 EST Sat Aug 3 2002 by jamesm
! NVRAM config last updated at 04:43:56 EST Mon Aug 12 2002 by stats
!
!
!
!
end

Not very usefull ... so the only choice is a "sh conf" where it reads the
nvram:startup-config file (basically more's the file). The caveat there is
that users had better be writing the config after all changes or some items
may be missed. I do what was suggested earlier and it works quite well ...
allow a priv level to show, show conf etc ... then put the level in teh
user/pass command. works nicely.

Jim

-----Original Message-----
From: Barry Bruins [mailto:bbruins@cisco.com]
Sent: Monday, August 12, 2002 2:44 PM
To: Josh Duffek; Bruce Campbell; cisco-nsp@puck.nether.net
Subject: Re: [nsp] enable commands as non-enable user?


Ughh.  I'm embarrassed.  You're right.  It may require a TACACS+ server
in the mix.

Barry

At 01:06 PM 8/12/2002 -0500, Josh Duffek wrote:
>just fyi...im 99% sure you cant do this for "sh run"...but i never tried
for
>"sh config".
>
>joshd
>
>----- Original Message -----
>From: "Barry Bruins" <bbruins@cisco.com>
>To: "Bruce Campbell" <bruce.campbell@ripe.net>; <cisco-nsp@puck.nether.net>
>Sent: Monday, August 12, 2002 12:24 PM
>Subject: Re: [nsp] enable commands as non-enable user?
>
>
>> Use the privilege command to set the show running-config to another
level.
>>
>> Barry
>>
>> At 06:29 PM 8/12/2002 +0200, Bruce Campbell wrote:
>>
>> >Greetings,
>> >
>> >I'm wanting to allow a dedicated non-enabled user to be able to 'show
>> >conf' (run through all the routers and save the conf nightly).  Is this
>> >possible via AAA (tacacs+)?  ( the AAA overview on cco isn't that clear
>on
>> >whether this is possible or not)
>> >
>> >--==--
>> >Bruce.
>> >
>> >_______________________________________________
>> >cisco-nsp mailing list  real_name)s@puck.nether.net
>> >http://puck.nether.net/mailman/listinfo/cisco-nsp
>> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>_______________________________________________
>cisco-nsp mailing list  real_name)s@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/