Most of you have probably found that when we configure different privilege levels for users in Cisco IOS, the less privileged user can only display an empty version of the running config.

Well in fact this is something that happens to many network administrators, then having to find a workaround such allowing the show startup-config command. This is very newbie behavior because the startup command as all we know, only shows the configuration that will be loaded at boot, and can be very different from the one running. We can have a base startup-config that allows the device to load the final config from a central server.

Anyway if you want to do things as things should be done, here is the solution to this IOS behavior.

Let’s suppose that we have the following basic aaa config:

aaa new-modelaaa authentication login conauthen localaaa authorization
consoleaaa authorization exec conauthor local

With the console line configured like this:

line con 0 authorization exec conauthor login authentication conauthen

The following limited privilege configuration:

privilege exec level 3 show privilegeprivilege exec level 3 show
interfacesprivilege exec level 3 show

And a couple of users with privilege specified locally:

username cisco privilege 15 password 0 ciscousername test privilege 7
password 0 test

From here if we login as user test, we can only run the specified commands, but the running-configuration will be empty:

R2

If we want this limited user to read the entire running-config we have to set suboptions to the same level with the following comand:

privilege exec all level 3 show running-config

And then we can show the entire file with the limited user like this:

show running-config view full

Here the result:

R2-1

Cheers,