In or around IOS 15.2 apparently a privilege structural change was made that breaks non-priv-15 users from being able to copy the running config, useful for RANCID and other tools. And either the RANCID/Oxidized community simply uses privilege 15 users in their configs, which I refuse to do on priciple, or my google-fu is poor because I have not found this info in any explicit form.
In any case, the symptom of the typical config allowing to download a running config without having level-15 privileges on Cisco IOS has always been documented as:
username rancidbackup privilege 10 secret [md5-pass] privilege exec level 10 show running-config view full privilege exec level 10 show running-config view privilege exec level 10 show running-config privilege exec all level 1 show
the above in IOS <= 15.1 was always enough to allow user “rancidbackup” to issue a “show running-config view full” and the CLI would output the current configuration. Under IOS 15.2, behaviour appears to have changed. Some folks receive a “permission denied” error while others, such as my experience, a simple empty config would be output. As an example:
ssh -l rancidbackup 10.0.255.1 Password: Router#show running-config view full [...nothing...] Router#show running-config [...nothing...] Router#
This annoying behaviour can be worked around in two different ways.
The first, is to cave and allow the rancid backup user to obtain level-15 privileges upon login. The academic risk of compromise by this admin-level user can be mitigated by limiting the IP addresses used for login via ACL: example:
username rancidbackup access-class 99 privilege 15 secret [md5-pass] ! access-list 99 remark RANCID-ONLY access-list 99 permit host 10.0.1.25 any !
By adding access-class to the username definition, it is possible to avoid this user being used from other sources. This might even be recommendable for any scenario where scripting/tools are used for access to the device. However, this method still requires that user to have admin level-15 privileges.
I was pointed to https://supportforums.cisco.com/discussion/11691446/error-opening-nvramstartup-config-permission-denied as a possible second solution. Apparently there is a mecanism to allow file access (which includes running-config, apparently…), with the command “file privilege [level]”
In our case, by issuing “file privilege 10”, we are able to see via “show running-config view full” (and not just show running-config) the info we seek to backup with our tool, in this case RANCID (as you can see, “show running config” is useless but “show running-config view full” outputs what we need):
Router#show running-config Building configuration... Current configuration : 261 bytes ! ! Last configuration change at 22:04:36 EDT Mon May 30 2016 by user ! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user ! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user boot-start-marker boot-end-marker ! ! ! ! ! ! ! end Router#show running-config view full Building configuration... Current configuration : 90474 bytes ! ! Last configuration change at 22:04:36 EDT Mon May 30 2016 by user ! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user ! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user upgrade fpd auto version 15.2 .... etc etc !
I am still researching secondary implications from setting “file privilege” to anything other than level-15. I haven’t found a way, using a privilege 10 user, to modify/delete the files so use at your own risk (!). But combining the two above mecanisms I believe provides a sufficient means to allow non-privileged, read-only access to the configuration for use with config management and other scripting tools.