02-21-2021 04:58 AM
Hi,
1- I need to create ssh user who can only see/read the config details of router/switch.
2- Also i do not want to share enable password with read-only user, is there any way to create separate enable password for that user too.
Thanks & Regards:
02-21-2021 06:46 AM
You can try below :
02-22-2021 03:04 AM
Hello Dear, I did that already, After login by new Read-only User, it asks for enable password(which i do not want to share with this new user too), but once i enter enable password, i am able to go into config mode and etc
02-22-2021 04:08 AM - edited 02-22-2021 04:09 AM
You can try below : ( also please provide device model and IOS Code)
enable password level 3 mypassword
still issue post the complete configuraiton - we may need to understand full config here.
02-22-2021 04:25 AM
I am not able to access with new level 3 enable password, and if i access by MY anable password, new-user is able to enter into the config mode, below is the config details.
02-GW#sh runn
Building configuration...
Current configuration : 8444 bytes
!
! Last configuration change at 15:19:45 EEST Mon Feb 22 2021 by cyber
version 15.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname 02-GW
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret level 3 5 $1$PqKQ$o09h2RqaJZ02kGOeTHLrC.
enable secret 5 $1$bt7y$E2cMC.v10Tn/6gnQki5Dw.
!
aaa new-model
!
!
aaa authentication login VTY-login local enable
!
!
!
!
!
aaa session-id common
clock timezone EEST 3 0
!
!
!
!
!
!
!
!
!
!
ip domain name abc
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
login block-for 65535 attempts 9 within 180
login quiet-mode access-class Strict-Access
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ2046144P
license accept end user agreement
license boot module c800 level advipservices
!
!
archive
path scp://xyz
write-memory
time-period 1440
username superme privilege 15 secret 5 $1$soZ7$YUYVm5mH2cDYgWICoqzvM0
username cyber privilege 3 password 7 045812040A334F
!
!
!
!
!
controller VDSL 0
!
ip ftp username FTP-MAT
ip ftp password 7 12340403130C09167E7D767E636574
ip ssh source-interface Vlan210
ip ssh version 2
no ip ssh server authenticate user password
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
load-interval 30
atm vc-per-vp 64
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 210
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 300
no ip address
!
interface Vlan1
no ip address
!
interface Vlan210
ip address 172.16.2.2 255.255.255.252
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan300
ip address x.y.z.
ip access-group Blocking_Ports_(External) in
ip nat outside
ip virtual-reassembly in
!
router ospf 2
network 172.16.2.0 0.0.0.3 area 0.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Vlan210
ip flow-export version 9
ip flow-export destination 192.168.12.103 60102
!
ip dns server
ip nat inside source list 1 interface Vlan300 overload
ip nat inside source static tcp 192.168.102.100 544 xyz 554 extendable
ip nat inside source static tcp 192.168.102.100 8000 xyz 8000 extendable
ip nat inside source static tcp 172.16.2.1 54436 xyz 54436 extendable
ip route 0.0.0.0 0.0.0.0 xyz
!
ip access-list standard Strict-Access
permit 192.168.102.5 log
permit 10.12.100.0 0.0.0.255 log
deny any log
!
ip access-list extended Blocking_Ports_(External)
deny tcp any host 172.16.2.2 eq 139 log
deny tcp any host 172.16.2.2 eq telnet log
permit ip any any
ip access-list extended Deny_Outside_DNS_Requests
deny tcp any any eq domain log
deny udp any any eq domain log
permit ip any any
!
logging trap debugging
logging source-interface Vlan210
logging host 192.168.12.103
!
snmp-server group prtg-admin v3 priv
snmp-server group prtg-snmp-G v3 priv
snmp-server community MAT-com-1 RO
snmp-server host 192.168.12.103 version 3 priv prtg-admin
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 172.16.2.0 0.0.0.3
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
privilege exec level 3 show vlan-switch
privilege exec level 3 show vlans
privilege exec level 3 show startup-config
privilege exec level 3 show
banner motd ^CC
___ _ _ _ __ __
/ _ \ | \ | || | \ \ / /
| | | || \| || | \ V /
| |_| || |\ || |___ | |
\___/ |_| \_||_____||_|
_ _ _ _____ _ _ ___ ____ ___ _____ _____ ____
/ \ | | | ||_ _|| | | | / _ \ | _ \ |_ _||__ /| ____|| _ \
/ _ \ | | | | | | | |_| || | | || |_) | | | / / | _| | | | |
/ ___ \| |_| | | | | _ || |_| || _ < | | / /_ | |___ | |_| |
/_/ \_\\___/ |_| |_| |_| \___/ |_| \_\|___|/____||_____||____/
___ _____ ____ _____ _ _____ _____ ____ _ _ _
|_ _||_ _| / ___||_ _| / \ | ___|| ___| / ___| / \ | \ | |
| | | | \___ \ | | / _ \ | |_ | |_ | | / _ \ | \| |
| | | | ___) | | | / ___ \ | _| | _| | |___ / ___ \ | |\ |
|___| |_| |____/ |_|/_/ \_\|_| |_| \____|/_/ \_\|_| \_|
_ ____ ____ _____ ____ ____ _
/ \ / ___|/ ___|| ____|/ ___|/ ___| | |
/ _ \ | | | | | _| \___ \\___ \ | |
/ ___ \| |___| |___ | |___ ___) |___) ||_|
/_/ \_\\____|\____||_____||____/|____/ (_)
^C
!
line con 0
logging synchronous
login authentication VTY-login
no modem enable
line aux 0
line vty 0 4
access-class Strict-Access in
logging synchronous
login authentication VTY-login
transport input ssh
!
scheduler allocate 20000 1000
ntp source Vlan210
ntp server 192.168.105.200
!
end
02-GW#
02-22-2021 05:20 AM - edited 02-22-2021 05:21 AM
If you are using Local Login users below basic config - and add as suggested authorisation comands and test it - make sure ( do not write config - any point of time until you test all working as expected) - if not you need to get in to recovery password. - best is console based changes is suggested.
aaa new-model
aaa authentication login default local
username admin privilege 15 password mypassword
username readonly privilege 3 password mypassword
line vty 0 4
login authentication default
For more authorisation commands :
02-24-2021 06:59 AM
Still i am not getting output as expected, Once i login with read only user, it asks for enable password, and it does not accept the enable password which i created for level 3, it accept only admin enable password, after entering into enable mode, i can go to config mode etc, if i see "sh privilege" it shows "current user has privilege 15",, whereas i created that user with priv 3
02-24-2021 07:42 AM
as soon as you give enable password as Priv 15, you get most of it.
Try adding user with priv 5 and test it - let me replicate later today.
02-24-2021 11:16 PM
Hello Dear,
I created enable password for level 5 and level 3 and level 0, also i created different usenames for each level, but enable passwords are not working for level 5,3 or 0
02-26-2021 03:13 PM
15X IOs should work as expected. try here an example :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide