Sometimes you will have vendors or junior network administrators needing access to your network equipment. Giving them the keys to the kingdom is not the best decision. Additionally, you’ll need to change the password after the vendor is finished. Or you forget to remove that vendor’s full access account from your router. A safer method is to create a read only account. This is done using privilege levels built into Cisco IOS.
With this method you are using the local database of the router/switch to create a read only user account. The ideal way to grant permissions is to use TACACS+ but that is another discussion.
Create your user accounts
Cisco uses privilege levels to determine what a user account will have access to on the device. There are 16 privilege levels but the system will have two already configured. The rest of the levels are for you to modify. Privilege level 15 is the highest level and is similar to a root user. Privilege level 1 is the lowest of the levels and basically can’t do anything.
Make sure you have an account with full permissions to the device. Then configure a new user for your read only account. I will use privilege level 3 for the read only account.
R1(config)#username admin privilege 15 secret Secret01 R1(config)#username readonly privilege 3 secret ReadOnly03
Of course, use much stronger passwords than the ones I have used above. This is just for lab purposes.
Enable Password Checking
Next, I will apply enable password checking on the vty lines. When a user tries to SSH into my router, they will be prompted for a username and password. Those credentials will be looked up on the local database and if there’s a match, the user is allowed into the router.
R1(config)#line vty 0 15 R1(config-line)#login local
With login local configured for my vty lines, I will attempt to ssh into R1 from R2 using my readonly account.
R2#ssh -l readonly 192.168.1.1 Password: R1#conf t ^ % Invalid input detected at '^' marker.
I am able to ssh into R1 but because I have assigned a privilege level 3 to the account, it can’t really perform any changes or even view the running config file. What we will now configure are commands privilege level 3 users can issue on the CLI. Because this is going to be a read only account, I want to give the user privileges to just see the running config file.