How to create a read only user in Cisco devices

Here is the thing, can you believe there is no straight forward way to configure a read only user in Cisco devices. If you know any way to do it please correct me here.

Scenario: my manager asked me to create a read only user in 90 networking devices (Routers, Switches, Load balancers, Firewalls) for transitioning company. We have two environments and those two environments are configured differently. Again for security reasons I can not tell you more details.

Initial Planning: First thing came to my mind is KiwiCat Tools and run a batch update for all the devices. Before actually building the implementation I thought just try the commands in a DR switch. After spending few hours on the commands I figured out there no way to create a read only user.

By default, there are three command levels on the router:

■privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

■privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.

■privilege level 15 — Includes all enable-level commands at the router# prompt.

If I use privilege level 0 or 1 it will not allow to do any show commands such as #show run or #show config. And if I use privilege level 15 it’s going to be power user. So my research continues… Link below helped me a lot and saved my research time. Also official CCNA Security book, page 123, AAA configuration helped me to understand how this run levels and AAA works in Cisco devices.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

My solution: There are two things you can do to out come this problem.

a) Create a new user add a custom run level and specify each exec command this user can run [This is not really what I was looking for]. In this way when the user do a show run it will show only the items/sections that he can modify in exec level.

username john privilege 9 password cisco
privilege configure level 8 configure terminal
privilege configure level 8 interface

login as the user created in my case its “John” and do a show run.

b) Create a new user and a custom run level and allow Show Configuration command for this user. In this way the user can run show configuration command which is very similar to Show Running-Configuration

username john privilege 9 password cisco
privilege exec level 7 show config

login as the user created in my case its “John” and do a show config.

For both methods you need to enable AAA on each device. If you dont understand AAA model please read them at Cisco knowledge base.

aaa new-model
aaa authentication login default local
aaa authorization exec default local


Note: You can not add Show Running-Configuration in this manner. [Don't ask my why]

Note: If you have specify any privilege levels in line vty’s it will overwrite what ever the values you specified in user level.

line vty 0 3
privilege level 15
login authentication Company-RLogin


Additional Note: in order to prompt for a user name in all Cisco devices you need to specify it. You could do that by either saying login local or creating an authentication string

line vty 0 3
login local