Cisco Switch (IOS) Read Only User

metalgearash1987 · ‎05-13-2015

Hi,

As we know privilege 15 is the highest privilege which a user may do everything on a switch.

I am using a Network Automation tool for policy compliance checking and only need to collect the configuration of the switch. So i need to create a user on the switch that may only view the configuration of the switch (SHOW RUN, SHOW STARTUP CONFIG, ETC) but cannot make changes on the switch.

Can you guys share with me step by step on how to configure the above privilege in order for me to meet my objective?

Appreciate it guys. Thank you.

-Ashraf-

vivek srivastava · ‎05-13-2015

For "SHOW RUN" you need privileadge 15 user.

Rest you can acheive by setting commands under different privileadge modes.

Example :

privilege interface level 8 no shutdown
privilege configure level 7 terminal-queue
privilege configure level 7 default terminal-queue
privilege configure level 7 default interface
privilege configure level 0 default
privilege configure level 8 terminal
privilege configure level 8 interface
privilege exec level 5 hw-module
privilege exec level 5 ping

sharlino · ‎05-13-2015

Hello. You can use a parser view. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html. Hope this help.

metalgearash1987 · ‎05-13-2015

Dear sharlino,

Thanks for sharing the. May i know if you have previously used this configuration in any environment?

Can you share with me how you have done it?

Note: from the cisco guide, i can see the parser-view looks like its for Router. I tried using the packet tracer and i am not able to do it on a switch.

Thanks sharlino. :)

sharlino · ‎05-14-2015

May i know if you have previously used this configuration in any environment ?

Only in test lab for personal learning.

Can you share with me how you have done it?

Please, see below:

------------------------------------------------------------------

R1(config)#enable secret my-secret
R1(config)#aaa new-model
R1(config)#exit
R1#enable view
(password is my-secret)

R1#
*May 14 08:31:00.319: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#

R1(config)#parser view SHOW-ALL
R1(config-view)#secret my-show-all-secret
R1(config-view)#commands exec include all show
R1(config-view)#exit
R1(config)#exit

R1(config)#username show-user view SHOW-ALL privilege 15 secret show-user-secret
R1(config)#end

! For testing purposes, ability to use the local database (running config) for users + shell
R1(config)#aaa authentication login default local
R1(config)#aaa authorization exec default local

! Here is IP-address of my lab router to which i will be connecting
R1#sh prot f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 172.17.1.1/24

R1#tel 172.17.1.1
Trying 172.17.1.1 ... Open

(Login: show-user Password: show-user-secret )

Some verifications

R1#sh privilege
Currently in View Context with view 'SHOW-ALL'

R1#conf t
^
% Invalid input detected at '^' marker.

R1#?
Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information

------------------------------------------------------------------

Please note, that logged in view you have to issue show running-config view full instead of show running-config to see current running config. Also, if you have a number of devices, my advice would be using an AAA-server to accomplish your task. Configuration below was tested in lab with ADVIPSERVICESK9-M, 12.2(33)SRE, RELEASE SOFTWARE (fc1).

Note: from the cisco guide, i can see the parser-view looks like its for Router. I tried using the packet tracer and i am not able to do it on a switch.

I have not tested this on switches, maybe it depends on switch model and/or soft version, but in this thread people are talking about a parser views on Catalyst 3750: https://learningnetwork.cisco.com/thread/55316

Good luck!