NeSight Console - Using Command Script Tool

  • 0
  • 1
  • Question
  • Updated 4 years ago
To use Command Script Tool is necessary to configure a username and password in NetSight Authorization/Device Access and Profiles/Credentials-->CLI Credentials.
How can I to hidden my password on CLI Credentials to that another person don't see it?

Photo of Edson Moura

Edson Moura

  • 472 Points 250 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Jason Parker

Jason Parker, Employee

  • 2,918 Points 2k badge 2x thumb
I am not aware of this procedure but you can always create a default one that everyone can use when using the command script. If this is used just for collecting data.

I would suggest trying this as a client machine (rather than doing from the server machine) to see if that works but I am not sure that this can be done that way
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,306 Points 20k badge 2x thumb
You need to add different "Authorization Groups".
i.e. I'm in the group "Netsight Admin" and could access every menu within Netsight but I've created a user group "NOC" with restricted access.

So you could restrict the group NOC so they can't access the authorization/device access menu to access the password but could allow them to use the command script tool.

Here what they get if they try to access the authoization/device access menu...



-you could add a new group in > authorization/device access
- the command script capabilities could be found in > Netsight Suite > Devices > Execute Command Script
Photo of Edson Moura

Edson Moura

  • 472 Points 250 badge 2x thumb
Thanks Ronald. I appreciate your sugestion.

I've already used Authorization Groups, but, I my network, there are several admin users that could to use usename "NOC" to change the configuration of the switches, so I would lose the track that which person has made the configuration in my network.

IMO, the Command Script Tool should request a username and password during the time I was doing the configuration on the switches.

Thanks for your help.

Edson Moura
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,306 Points 20k badge 2x thumb
OK so the requirement changed from "not see pw" to "track who changed the config".

I assume you not only want to see who changed the switch config but also what was changed = logg the complete CLI commands that were used by that user.

In the Netsight Console log you could see which Netsight user has executed the script tool,
In this case the root user but you also could see the hostname of the PC=AT00298W,


If you now enable syslog logging on your devices you'd send all CLI changes to Netsight....


I know that isn't a great solution to your problem as you'd need to manualy search for the Netsight user and which changes were done.

Might be that someone else has a better idea.

Ron
Photo of John Kaftan

John Kaftan

  • 810 Points 500 badge 2x thumb
I think you could disable the feature "Show Passwords in Clear Text" for all of your user groups.  Then you would also have to figure out how to make it so that nobody else can turn on this feature, i.e. you have to play with the settings under Authorization/Device Access to get what you are looking for.

When I need to use this feature I use my username and password for the CLI config.  Then I go in and change it to something else when I am done.  Not ideal because another admin can see my stuff while I am doing the work but at least that way I minimize my exposure.

Photo of Edson Moura

Edson Moura

  • 472 Points 250 badge 2x thumb
Thank you, guys!