Sometimes you will have vendors or junior network administrators needing access to your network equipment. Giving them the keys to the kingdom is not the best decision. Additionally, you’ll need to change the password after the vendor is finished. Or you forget to remove that vendor’s full access account from your router. A safer method is to create a read only account. This is done using privilege levels built into Cisco IOS.
With this method you are using the local database of the router/switch to create a read only user account. The ideal way to grant permissions is to use TACACS+ but that is another discussion.
Create your user accounts
Cisco uses privilege levels to determine what a user account will have access to on the device. There are 16 privilege levels but the system will have two already configured. The rest of the levels are for you to modify. Privilege level 15 is the highest level and is similar to a root user. Privilege level 1 is the lowest of the levels and basically can’t do anything.
Make sure you have an account with full permissions to the device. Then configure a new user for your read only account. I will use privilege level 3 for the read only account.
R1(config)#username admin privilege 15 secret Secret01 R1(config)#username readonly privilege 3 secret ReadOnly03
Of course, use much stronger passwords than the ones I have used above. This is just for lab purposes.
Enable Password Checking
Next, I will apply enable password checking on the vty lines. When a user tries to SSH into my router, they will be prompted for a username and password. Those credentials will be looked up on the local database and if there’s a match, the user is allowed into the router.
R1(config)#line vty 0 15 R1(config-line)#login local
With login local configured for my vty lines, I will attempt to ssh into R1 from R2 using my readonly account.
R2#ssh -l readonly 192.168.1.1 Password: R1#conf t ^ % Invalid input detected at '^' marker.
I am able to ssh into R1 but because I have assigned a privilege level 3 to the account, it can’t really perform any changes or even view the running config file. What we will now configure are commands privilege level 3 users can issue on the CLI. Because this is going to be a read only account, I want to give the user privileges to just see the running config file.
Configure Privilege Level 3 Commands
To assign read only to the running config file we enter global configuration mode and issue the following privilege commands:
R1(config)#privilege exec all level 3 show running-config R1(config)#end R1#wr
Verify Read Only
Now we log in again into R1. The command that we will need to run to view the running-config is
show running-config view full. If you test any other commands, you will notice the CLI will say it is an invalid input.
R2#ssh -l readonly 192.168.1.1 Password: R1# R1#sh running-config view full Building configuration...
Current configuration : 1428 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ip cef no ip domain lookup ! ! username admin privilege 15 secret 5 $1$76xB$ohfJo9PV9FvooU/mc6Z1N1 username readonly privilege 3 secret 5 $1$jInF$3GGRHULVH3Wuo1wOqpTvs1 ! ! ip tcp synwait-time 5 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 no ip address shutdown serial restart-delay 0 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! interface GigabitEthernet2/0 ip address 192.168.1.1 255.255.255.0 negotiation auto ! ! no ip http server no ip http secure-server ! ! no cdp log mismatch duplex ! control-plane ! gatekeeper shutdown ! privilege exec all level 3 show running-config privilege exec level 3 show ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login local line vty 5 15 login local ! ! end
Do you have any questions? Let me know in the comments below.