Friday, March 9, 2012

How to create a read only user in Cisco devices

Here is the thing, can you believe there is no straight forward way to configure a read only user in Cisco devices. If you know any way to do it please correct me here.

Scenario: my manager asked me to create a read only user in 90 networking devices (Routers, Switches, Load balancers, Firewalls) for transitioning company. We have two environments and those two environments are configured differently. Again for security reasons I can not tell you more details.

Initial Planning: First thing came to my mind is KiwiCat Tools and run a batch update for all the devices. Before actually building the implementation I thought just try the commands in a DR switch. After spending few hours on the commands I figured out there no way to create a read only user.

By default, there are three command levels on the router:

■privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

■privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.

■privilege level 15 — Includes all enable-level commands at the router# prompt.

If I use privilege level 0 or 1 it will not allow to do any show commands such as #show run or #show config. And if I use privilege level 15 it’s going to be power user. So my research continues… Link below helped me a lot and saved my research time. Also official CCNA Security book, page 123, AAA configuration helped me to understand how this run levels and AAA works in Cisco devices.

My solution: There are two things you can do to out come this problem.

a) Create a new user add a custom run level and specify each exec command this user can run [This is not really what I was looking for]. In this way when the user do a show run it will show only the items/sections that he can modify in exec level.

username john privilege 9 password cisco
privilege configure level 8 configure terminal
privilege configure level 8 interface

login as the user created in my case its “John” and do a show run.

b) Create a new user and a custom run level and allow Show Configuration command for this user. In this way the user can run show configuration command which is very similar to Show Running-Configuration

username john privilege 9 password cisco
privilege exec level 7 show config

login as the user created in my case its “John” and do a show config.

For both methods you need to enable AAA on each device. If you dont understand AAA model please read them at Cisco knowledge base.

aaa new-model
aaa authentication login default local
aaa authorization exec default local

Note: You can not add Show Running-Configuration in this manner. [Don't ask my why]

Note: If you have specify any privilege levels in line vty’s it will overwrite what ever the values you specified in user level.

line vty 0 3
privilege level 15
login authentication Company-RLogin

Additional Note: in order to prompt for a user name in all Cisco devices you need to specify it. You could do that by either saying login local or creating an authentication string

line vty 0 3
login local

No comments:

YouTube Channel