Friday, March 9, 2012
How to create a read only user in Cisco devices
Here is the thing, can you believe there is no straight forward way to configure a read only user in Cisco devices. If you know any way to do it please correct me here.
Scenario: my manager asked me to create a read only user in 90 networking devices (Routers, Switches, Load balancers, Firewalls) for transitioning company. We have two environments and those two environments are configured differently. Again for security reasons I can not tell you more details.
Initial Planning: First thing came to my mind is KiwiCat Tools and run a batch update for all the devices. Before actually building the implementation I thought just try the commands in a DR switch. After spending few hours on the commands I figured out there no way to create a read only user.
By default, there are three command levels on the router:
■privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
■privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
■privilege level 15 — Includes all enable-level commands at the router# prompt.
If I use privilege level 0 or 1 it will not allow to do any show commands such as #show run or #show config. And if I use privilege level 15 it’s going to be power user. So my research continues… Link below helped me a lot and saved my research time. Also official CCNA Security book, page 123, AAA configuration helped me to understand how this run levels and AAA works in Cisco devices.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
My solution: There are two things you can do to out come this problem.
a) Create a new user add a custom run level and specify each exec command this user can run [This is not really what I was looking for]. In this way when the user do a show run it will show only the items/sections that he can modify in exec level.
username john privilege 9 password cisco
privilege configure level 8 configure terminal
privilege configure level 8 interface
login as the user created in my case its “John” and do a show run.
b) Create a new user and a custom run level and allow Show Configuration command for this user. In this way the user can run show configuration command which is very similar to Show Running-Configuration
username john privilege 9 password cisco
privilege exec level 7 show config
login as the user created in my case its “John” and do a show config.
For both methods you need to enable AAA on each device. If you dont understand AAA model please read them at Cisco knowledge base.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
Note: You can not add Show Running-Configuration in this manner. [Don't ask my why]
Note: If you have specify any privilege levels in line vty’s it will overwrite what ever the values you specified in user level.
line vty 0 3
privilege level 15
login authentication Company-RLogin
Additional Note: in order to prompt for a user name in all Cisco devices you need to specify it. You could do that by either saying login local or creating an authentication string
line vty 0 3
login local
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment