Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1758
Views
12
Helpful
16
Replies

Creating a Read Only User on Switch

farzel
Level 1
Level 1

‎11-22-2024 07:35 AM

I've been trying to create a local read only user named user1 on the switch. It will connect via SSH and my own user is connecting through a Radius server. Users which connects via Radius server have privilege level 15 and the new local user has level 3. When I test the connection of the user1 (level 3), "show privileges" command prints that it's privilege level is 15. So, it can act as same as my own user. I've attached the config below, I did some line configuration, still it didn't work. I'd be so appreciated if you could help.

CISCO is Radius users, they are admins.

user0 is a local user which needs to remain as level 15.

user1 is the one I've been trying to make level 3 but it's level stays at 15.

 

aaa authentication login CISCO local group radius

username user0 privilege 15 secret 5 $1$iCSm$X6pDfr6bC7qhLGl5aY2Z.0

username user1 privilege 3 secret 5 $1$x4NK$mBS4UQFZGDzuL0Pl9gJRm.

!

!

!

!

!

!

radius-server host x.x.x.x

radius-server key the_key

!

"aaa new-model

aaa session-id common

 

 

 

line vty 0 4

 privilege level 15

 login authentication CISCO

 transport input ssh

 escape-character 3

line vty 5 15

 password 7 01100F175804

 transport input ssh

Labels:
0 Helpful
16 Replies 16

M02@rt37
VIP
VIP

‎11-22-2024 07:54 AM - edited ‎11-22-2024 07:55 AM

Hello @farzel 

The privilege level 15 setting should be removed from the line vty configuration. This will allow the user's privilege level to be determined by their account settings or the AAA method.

line vty 0 4
no privilege level 15
login authentication CISCO
transport input ssh
escape-character 3

line vty 5 15
no privilege level 15
login authentication CISCO
transport input ssh

If the RADIUS server sends a privilege-level attribute that overrides the local or default configuration, you might need to adjust it to avoid conflicts. 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

farzel
Level 1
Level 1
In response to M02@rt37

‎11-26-2024 02:42 AM

Hello,

Thanks for your response, unfortunately that didn't work. I still have the same results.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-22-2024 07:56 AM

That not work' how you can control which line the SW will provide to user?

Check parser view solution 

MHM

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎11-22-2024 09:15 AM

It is very uncommon to configure your authentication this way:

aaa authentication login CISCO local group radius

Almost every real world deployment would do "aaa authentication login CISCO group radius local" so that the radius server is consulted for authentication and user authentication can be centrally managed.  Also, remember that when you have 2 or more items in your authentication list (first radius, then local in my suggested configuration), the second item will only be used if the first is unavailable. I don't expect "local" to ever be unavailable, so I expect your radius server is NEVER actually consulted for authentication.  

So why not change the order, and use your radius server to manage the privilege level as everyone else does?  This makes for a centrally managed solution and you don't have to configure manually a bunch of network devices.

farzel
Level 1
Level 1
In response to Preston Chilcote

‎11-26-2024 02:44 AM - edited ‎11-26-2024 03:30 AM

Hello,

Thanks for your response, tried your suggestion but didn't work unfortunately. When I change config to "aaa authentication login CISCO group radius local", radius works fine but I'm not able to login as local user. Gives me access denied.

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee
In response to farzel

‎11-26-2024 08:32 AM

Yes that is expected.  The fallback to local user only happens if Radius is unreachable, not if authentication fails.  You want to manage the users from your Radius server.  The local accounts will only get used in an emergency if radius is down and you need to login to devices.

 

farzel
Level 1
Level 1
In response to Preston Chilcote

‎11-27-2024 12:28 AM

I see, is there a way to use both at the same time? Like my original configuration given in the post, I'm able to use both but I cannot change priv level depending on the user. Theoretically, I want to use both radius and local users at the same time without giving any priority and change their priv levels without effecting other users' privilege. Also if I want to create a new user either on local or via server, I need to have them as unrelated to each other priority or priv wise. Is it possible?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to farzel

‎11-27-2024 12:57 AM 

Thanks for your response, tried your suggestion but didn't work unfortunately. When I change config to "aaa authentication login CISCO group radius local", radius works fine but I'm not able to login as local user. Gives me access denied.

This is how it is expected to work. If you want to try a Local account, On Radius you can change the key to a different one and then try a Local account as a fallback.

Are you looking at the order radius and then the Local account, not the other way around?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

farzel
Level 1
Level 1
In response to balaji.bandi

‎11-27-2024 03:58 AM

What I need is being able to use both regardless their priority. Radius server and local users needs be used without any priority dependencies. So, I need to add level 3 local user without effecting the work flow of radius server and local users should be able to work if I need to login as them. At original post, it was working that way but I'm unable to change the privilege level of the local users. It always remains level 15 even I created one as read only. Hope that I explained the problem clear.  

0 Helpful

Julio Padilla
Level 1
Level 1

‎11-22-2024 09:55 AM - edited ‎11-22-2024 05:25 PM

You can also control (using RADIUS authentication as primary authentication) what commands will be available for example, privilege 7 on the device itself. here's an example of what i did to accomplish this using windows server as a RADIUS server

on the cisco device, type this commands por example

(config)#privilege exec all level 7 show

(config)#privilege exec all level 7 debug

(config)#privilege exec all level 7 no

and the special command that will bind this commands to privilege level 7, is as follow

(config)#File privilege 7

this command is for the privilege level 7, to have access to the show running-config view full command

 

 

0 Helpful

Julio Padilla
Level 1
Level 1

‎11-26-2024 02:00 PM

Hello Farzel, as per Preston reply, you cannot have a local user and RADIUS user work at the same time. the user you configured locally, will only work when RADIUS server is not reachable. once you cannot reach the RADIUS server, it will fallback to the local user you created to be able to login to the device. if you are using windows server for example for RADIUS authentication using the AD, you can achieve the same results giving access to commands, using different privilege levels. The syntax i posted, is a good example. Hope this helps. 

farzel
Level 1
Level 1
In response to Julio Padilla

‎11-27-2024 12:31 AM

Hello Julio, thanks for your reply and I see how it works now. I'm new at cisco and struggling little bit here. I'd like you to check my latest reply to Preston. Is your syntax the way for it, or is there any other solution I could try. I'm also open for any document suggestion that helps.

0 Helpful

Julio Padilla
Level 1
Level 1
In response to farzel

‎11-27-2024 02:36 AM

Hello Farzel. No worries. We all struggle at some point. To be fair, thats the way i used to grant certain command access to level 7 for example. I also used parser view which you could also integrate with windows RADIUS server and also, works with local users if RADIUS server is down. Hope this helps. 

Aref Alsouqi
VIP
VIP

‎11-27-2024 06:27 AM

I agree with the others, using a centralized users management solution would be way better. However, if you still want to explore that path then I think you can achieve it by splitting the VTY lines using the rotary feature. Basically what I mean here would be to dedicate specific ports to SSH into the device where the device then will land the user into a specific VTY line. Under that VTY line you can apply a different aaa method list where you only have local users defined, or local and then RADIUS group. That will be totally separate from the other authentication flow which will keep working as it is now.

In terms of configuration example you can try the following. First create a new aaa authentication method, then create the SSH rotary port, and then apply both the rotary and the new method list to any VTY line higher than 4 so you can leave room for the RADIUS users to SSH into the switch and be landed into any VTY from 0 to 4. Finally, when you want to SSH into the device with a local user account you have to use the ports you defined.

aaa authentication login LOCAL local group radius

ip ssh port 3022 rotary 1
ip ssh port 3023 rotary 2

line vty 5
rotary 1
login authentication LOCAL

line vty 6
rotary 2
login authentication LOCAL

Customers Also Viewed These Support Documents