Post Image

Cisco View Running Config at Custom Privilege Level

On a Cisco router or switch in order to view the configuration by default you must have privilege level 15 access which allows full access to modify configuration of the device also. This is not a problem for an admin account but becomes a problem if you need a user to view the running config but not modify any of the configuration. Think of a user account for a help desk or desktop support user, or an auditor, they should not be able to modify configuration but could need access to the running configuration from time to time. In this post I will show you how to get around this and still allow a user account to view the running config but not make any configuration changes.

 

Prerequisites

In this post I will assume the following of the environment.

  • You have a user account with a privilege level other than 15 to the device you can login with.
    • This can be hard coded if needed or provided through Radius or Tacacs.
    • In this post I use privilege level 4, if your level is different modify the commands appropriately.
  • An admin account on the system with privilege level 15 so you can enter the commands.

 

Configure Privilege Level File Access

The first thing you need to do is allow your targeted privilege level access to the file system of the device. You will need to do this with your account that has privilege level 15

cisco-device(config)#file privilege 4

 

Configure Privilege Access to More

The more command can be used to list the contents of a file on a Cisco device. We will need access to this command so we can list out the running configuration file from the file system. You will need to do this with your account that has privilege level 15

cisco-device(config)#privilege exec level 4 more

 

Test

Now you will need to login to the device with your account that has the appropriate privilege level. You can validate the privilege level by the command below.

cisco-device#show privilege
Current privilege level is 4
cisco-device#

And now issue the more command to list out the running configuration.

cisco-device#more system:running-config
!
! Last configuration change at 08:57:50 CST Tue Oct 18 2022 by adminuser
! NVRAM config last updated at 15:36:03 CST Fri Sep 30 2022 by adminuser
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
~ OUTPUT TRUNCATED ~
cisco-device#

And as you can see your user can see the full contents of the running configuration. 

 

Answering the Glaring Question

You are probably asking yourself "Why can't I just provide access to the show running-config command?". And while I wish this worked, the reason it does not is because the show running-config command is special in the fact that even the user will see the command and be able to issue it without error, becuase they dont have access to the commands that are inside of the running configuration, it will not display them in the output. This means you will at best get a partial output, or get no output at all. 

 

Teardown

To remove the privilege access to the file system and more command issue the following commands

cisco-device(config)#no file privilege 4
cisco-device(config)#privilege exec reset more
cisco-device(config)#

And you can validate by listing the running config and including the privilege keyword

cisco-device#show running-config | include privilege
cisco-device#

 

And that is all there is to it. If you have any additional questions let me know in the comments below!

 

 



Comments (0)
Leave a Comment