local aaa privileges

lkadlik · ‎10-26-2010

I want to be able to set up

read only access to one of our cisco routers while letting the other users still be able to get into enable and config mode.

My current config ( without the read only access user) is as follows

aaa new-model
aaa authentication login default local-case
aaa authentication login NO_AUTHENT none
aaa authorization exec default local

username x password y

Thank you.

Jason Masker · ‎10-26-2010

You can set a different privilege in the username command, so your view user could look like

username view privilege 1 secret

where view is the username.

lkadlik · ‎10-27-2010

Hi,

I tried that on a test router logging into the console port and I could not log in with a privilege level of 1. I could log in with a privilege level of 3. However, it let me make changes to the router in config mode. My goal is to allow the account to run show commands on the router and have read only access.

Thoughts?

Panos Kampanakis · ‎10-27-2010

You would need to move the "show command" to level 3.

Use command "privilege exec level 6 show".

I hope it helps.

PK

cadet alain · ‎10-28-2010

If your IOS is greater than 12.3(7)T then you could use role-based CLI.

Don't forget to rate helpful posts.