Create Read only SSH User

asadgulzar90 · ‎02-21-2021

Hi,
1- I need to create ssh user who can only see/read the config details of router/switch.
2- Also i do not want to share enable password with read-only user, is there any way to create separate enable password for that user too.

Thanks & Regards:

balaji.bandi · ‎02-21-2021

You can try below :

username bbandi privilege 3 password 0 mypassword

privilege exec level 3 show startup-config

privilege exec level 3 show VLAN

you can add every command you want to give to the user as the example above.,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asadgulzar90 · ‎02-22-2021

Hello Dear, I did that already, After login by new Read-only User, it asks for enable password(which i do not want to share with this new user too), but once i enter enable password, i am able to go into config mode and etc

balaji.bandi · ‎02-22-2021

You can try below : ( also please provide device model and IOS Code)

enable password level 3 mypassword

still issue post the complete configuraiton - we may need to understand full config here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asadgulzar90 · ‎02-22-2021

I am not able to access with new level 3 enable password, and if i access by MY anable password, new-user is able to enter into the config mode, below is the config details.

02-GW#sh runn
Building configuration...

Current configuration : 8444 bytes
!
! Last configuration change at 15:19:45 EEST Mon Feb 22 2021 by cyber
version 15.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname 02-GW
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret level 3 5 $1$PqKQ$o09h2RqaJZ02kGOeTHLrC.
enable secret 5 $1$bt7y$E2cMC.v10Tn/6gnQki5Dw.
!
aaa new-model
!
!
aaa authentication login VTY-login local enable
!
!
!
!
!
aaa session-id common
clock timezone EEST 3 0
!
!
!
!
!
!

!
!
!
!
ip domain name abc
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
login block-for 65535 attempts 9 within 180
login quiet-mode access-class Strict-Access
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ2046144P
license accept end user agreement
license boot module c800 level advipservices
!
!
archive
path scp://xyz
write-memory
time-period 1440
username superme privilege 15 secret 5 $1$soZ7$YUYVm5mH2cDYgWICoqzvM0
username cyber privilege 3 password 7 045812040A334F
!
!
!
!
!
controller VDSL 0
!
ip ftp username FTP-MAT
ip ftp password 7 12340403130C09167E7D767E636574
ip ssh source-interface Vlan210
ip ssh version 2
no ip ssh server authenticate user password
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
load-interval 30
atm vc-per-vp 64
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 210
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 300
no ip address
!
interface Vlan1
no ip address
!
interface Vlan210
ip address 172.16.2.2 255.255.255.252
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan300
ip address x.y.z.
ip access-group Blocking_Ports_(External) in
ip nat outside
ip virtual-reassembly in
!
router ospf 2
network 172.16.2.0 0.0.0.3 area 0.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Vlan210
ip flow-export version 9
ip flow-export destination 192.168.12.103 60102
!
ip dns server
ip nat inside source list 1 interface Vlan300 overload
ip nat inside source static tcp 192.168.102.100 544 xyz 554 extendable
ip nat inside source static tcp 192.168.102.100 8000 xyz 8000 extendable
ip nat inside source static tcp 172.16.2.1 54436 xyz 54436 extendable
ip route 0.0.0.0 0.0.0.0 xyz
!
ip access-list standard Strict-Access
permit 192.168.102.5 log

permit 10.12.100.0 0.0.0.255 log
deny any log
!
ip access-list extended Blocking_Ports_(External)

deny tcp any host 172.16.2.2 eq 139 log
deny tcp any host 172.16.2.2 eq telnet log
permit ip any any
ip access-list extended Deny_Outside_DNS_Requests
deny tcp any any eq domain log
deny udp any any eq domain log
permit ip any any
!
logging trap debugging
logging source-interface Vlan210
logging host 192.168.12.103
!
snmp-server group prtg-admin v3 priv
snmp-server group prtg-snmp-G v3 priv
snmp-server community MAT-com-1 RO
snmp-server host 192.168.12.103 version 3 priv prtg-admin
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 172.16.2.0 0.0.0.3
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
privilege exec level 3 show vlan-switch
privilege exec level 3 show vlans
privilege exec level 3 show startup-config
privilege exec level 3 show
banner motd ^CC

___ _ _ _ __ __
/ _ \ | \ | || | \ \ / /
| | | || \| || | \ V /
| |_| || |\ || |___ | |
\___/ |_| \_||_____||_|

_ _ _ _____ _ _ ___ ____ ___ _____ _____ ____
/ \ | | | ||_ _|| | | | / _ \ | _ \ |_ _||__ /| ____|| _ \
/ _ \ | | | | | | | |_| || | | || |_) | | | / / | _| | | | |
/ ___ \| |_| | | | | _ || |_| || _ < | | / /_ | |___ | |_| |
/_/ \_\\___/ |_| |_| |_| \___/ |_| \_\|___|/____||_____||____/

___ _____ ____ _____ _ _____ _____ ____ _ _ _
|_ _||_ _| / ___||_ _| / \ | ___|| ___| / ___| / \ | \ | |
| | | | \___ \ | | / _ \ | |_ | |_ | | / _ \ | \| |
| | | | ___) | | | / ___ \ | _| | _| | |___ / ___ \ | |\ |
|___| |_| |____/ |_|/_/ \_\|_| |_| \____|/_/ \_\|_| \_|

_ ____ ____ _____ ____ ____ _
/ \ / ___|/ ___|| ____|/ ___|/ ___| | |
/ _ \ | | | | | _| \___ \\___ \ | |
/ ___ \| |___| |___ | |___ ___) |___) ||_|
/_/ \_\\____|\____||_____||____/|____/ (_)

^C
!
line con 0
logging synchronous
login authentication VTY-login
no modem enable
line aux 0
line vty 0 4
access-class Strict-Access in
logging synchronous
login authentication VTY-login
transport input ssh
!
scheduler allocate 20000 1000
ntp source Vlan210
ntp server 192.168.105.200

!
end

02-GW#

balaji.bandi · ‎02-22-2021

If you are using Local Login users below basic config - and add as suggested authorisation comands and test it - make sure ( do not write config - any point of time until you test all working as expected) - if not you need to get in to recovery password. - best is console based changes is suggested.

aaa new-model
aaa authentication login default local
username admin privilege 15 password mypassword
username readonly privilege 3 password mypassword

line vty 0 4
login authentication default

For more authorisation commands :

http://www.dslreports.com/faq/9815

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asadgulzar90 · ‎02-24-2021

Still i am not getting output as expected, Once i login with read only user, it asks for enable password, and it does not accept the enable password which i created for level 3, it accept only admin enable password, after entering into enable mode, i can go to config mode etc, if i see "sh privilege" it shows "current user has privilege 15",, whereas i created that user with priv 3

balaji.bandi · ‎02-24-2021

as soon as you give enable password as Priv 15, you get most of it.

Try adding user with priv 5 and test it - let me replicate later today.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asadgulzar90 · ‎02-24-2021

Hello Dear,
I created enable password for level 5 and level 3 and level 0, also i created different usenames for each level, but enable passwords are not working for level 5,3 or 0

balaji.bandi · ‎02-26-2021

15X IOs should work as expected. try here an example :

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help