DX NetOps

  • Private Community
 View Only

  • 1.  To perform NCM capture using SSH/SCP, why RW access with privilege 15 is required. Why not RO access?

    Posted Aug 10, 2017 08:54 AM

    Hi Everyone,

     

    In the current environment, we have SNMP/TFTP setup for NCM capture. Due to the security constrains related to TFTP we are planning to move to SSH/SCP for NCM capture.

    I have gone through CA documents and dint find any information detailing what level of privileges to be set for device user to capture Config. It is only in this Community I came across answers suggesting to provide RW access and setting privileges to 15.

    While testing I provided RO access to the user. I was able to Capture partial config(around 20 odd lines from config). We providing privilege 15 access to the user temporarily for testing purpose and were able to capture the config completely.

     

    My question is why RW access is required to capture the configs, why not RO access? Providing RW access is like providing root access to the devices and is a severe concern with respect to Security.

    As I understand, we are just trying to read the config, so RO access should be sufficient. in earlier case we were able to get the capture but partial. Can someone clarify why RO access captures partial config and RW access capture the whole config?

    Also please clarify how/why NCM capture is so dependent on using RW access only?

     

    Thanks & Regards,

    Amey



  • 2.  Re: To perform NCM capture using SSH/SCP, why RW access with privilege 15 is required. Why not RO access?
    Best Answer

    Posted Aug 10, 2017 10:11 AM
      |   view attached

    Hi Amey,

     

    Read Write is required because NCM will need to set parameters on the device itself to initiate the capture.

    Read Only access cannot do this, typicaly.

     

    In regards to Privileges in Cisco, User Level (priv 1) cannot view the entire running config – as you found out.

    We require the entire configuration which only privilege 15 can provide.

    Screenshot attached showing example.

     

    NCM can also UPLOAD configuration changes.  This is also limited to a Privilege 15 User.

     

    The passwords stored inside Spectrum are encrypted and cannot be viewed once entered in.

    You could setup NCM to require “approval” for changes so that only certain users can actually approve changes to configurations on your devices.

     

    https://docops.ca.com/display/CASP102/NetworkConfigurationManagerDevice-LevelTasks

     

    Thanks!

    Matt



  • 3.  Re: To perform NCM capture using SSH/SCP, why RW access with privilege 15 is required. Why not RO access?

    Broadcom Employee
    Posted Aug 10, 2017 10:17 AM

    Hi Amey,

     

    As my colleague Matt has mentioned SCP / SSH in Cisco requires privilege 15, this is because "copy" requires privilege 15 in order to be used successfully.

     

    Futher info is available here:

     

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-usr-ssh-12-2sx-book/sec-secure-copy.pdf

     

    Best regards,

    Glenn



  • 4.  Re: To perform NCM capture using SSH/SCP, why RW access with privilege 15 is required. Why not RO access?

    Posted Aug 10, 2017 10:21 AM

    Another option for "hardening" is utilizing NCM policies.

    We will monitor the configurations and we can alarm if they are different then the source config set.

     

    Network Configuration Manager Policies - CA Spectrum - 10.2 and 10.2.1 - CA Technologies Documentation 



  • 5.  Re: To perform NCM capture using SSH/SCP, why RW access with privilege 15 is required. Why not RO access?

    Posted Aug 23, 2017 12:08 AM

    Hi Matt/Glenn,

     

    Thank you for the response. This answers the query that I had and helped in configuring NCM. It is working efficiently now.

     

    Thanks & Regards,

    Amey