Re: Login: Read Only

colmgrier · ‎04-29-2009

Customer requires read only login access. This read only account should be able to run all 'show' commands on a catalyst 3560 switch

JORGE RODRIGUEZ · ‎04-29-2009

Colm,

I do not have the list handy for all the priviledge level 0-15 specification, perhaps someone could provide that link.

I do know however that using proviledge level 5 will only give the user the ability to issue and its subcommands except for show runnung-config or show startup-config , all other show subcommands can be issued.

You can use for that priv level 5

username privilege 5 password

line vty 0 4

login local

line vty 5 15

login local

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swauthen.html#wp1154063

Regards

Jorge Rodriguez

johnlloyd_13 · ‎04-29-2009

you can implement this using Cisco's IOS role-based CLI either with AAA or parser view command.

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a0080993ff0.shtml

bretjaquish · ‎04-30-2009

The only two levels defined by default are:

Level 0: User exec mode

Level 15: Privileged Exec (enable) mode

Levels 1-14 are UNDEFINED, by default. You have to manually define commands for each of these levels.

Please note you will have issues with commands like show running-config, because the commands shown in the config might be blocked by priviledged level.

If you had an ACS server, you could give that user level 15 access then RESTRICT the commands they are able to use to the subset you require.

Here are some helpful links:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html

Gerard Roy · ‎08-26-2009

Making show running-config a separate level 15 command was just STUPID Cisco. WTF were you thinking? You already created all these priviledge levels so why not just let us assign what we want at the privledge we set? Dumb Asses. So how do I give our PCI auditors READ ONLY access to see the running config?

damoy · ‎04-16-2010

Do your PCI auditors need to see the running config? Or would the start-up config be sufficient? If so you can just do:

username test privilege 3 password 0 test

privilege exec level 3 show startup-config

Then "show startup" should give them what they need.

I believe "show run" is more of a configuration (verification) command, while "show start" is more for the read-only user.

Hope this helps.

chris.thomas · ‎10-29-2018

This does not work

Georg Pauwen · ‎10-29-2018

Typically, a parser view or CLI role based configuration would be used.

What are you after ?

Georg Pauwen · ‎10-29-2018

Here is a sample config for a parser view that would include all 'show' commands:

aaa new-model
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
username HELPDESK view READ_ONLY secret 5 $1$/dM0$UdkfJLS9nJtUVNrf.o9dr1
!
parser view HELPDESK
secret 5 $1$Ih.f$BXcbZmeoB3sBUBdyD6oN0.
commands exec include show startup-config
commands exec include all show
!
line vty 0 4
transport input all
login authentication default

Cathal Mooney · ‎02-23-2019

This is what we use on similar IOS and Catalyst devices to allow rancid to pull config:

username readonly privilege 4 secret BLAH
privilege exec level 4 dir all-filesystems
privilege exec level 4 dir
privilege exec level 4 more
privilege exec level 4 write terminal
privilege exec level 4 write
privilege exec level 4 show inventory raw
privilege exec level 4 show inventory
privilege exec level 4 show vlan
privilege exec level 4 show vtp status
privilege exec level 4 show vtp
privilege exec level 4 show idprom
privilege exec level 4 show env all
privilege exec level 4 show env
privilege exec level 4 show boot
privilege exec level 4 show version
privilege exec level 4 show debugging
privilege exec level 4 show controllers
privilege exec level 4 show running-config
privilege exec level 4 show

You need to specify the entire command the user can run. For instance you can't just allow "show" to enable all show commands, has to be the entire command. Seems stupid.

This works for us with Radius too, we return the priv level from Radius.

Unfortunately this approach has stopped working on some of our IOS-XE devices since we upgraded to IOS 16.6 Everest, and I haven't been able to find a way around it. Same for NXOS can't find a way to do it.

It seems odd to me that there isn't a read-only user option. I understand the config is delicate, but there are numerous cases where you might want to allow someone on to view the config and show things, but not modify configuration.

support · ‎03-25-2021

I ran into this problem recently since for PCI reasons we have to read / track any changes to the switch configs via a readonly account, we recently updated a couple of our switches to IOS-XE with 16.x on and hit this problem and this seems to be the top google result.

The answer seems to be parser views.

First setup a parser view via an elevated 15 account

config term

parser view MonitorView
secret test1234
commands exec include show startup-config
commands exec include all show
commands exec include terminal length 0

Next when logging on as a lower privilege user run the following to switch to the view

enable view MonitorView

it'll now ask for a password, this might be the secret mentioned above
but if you have radius enabled then it's more likely to be the radius password you logged on with
the following should then work

terminal length 0
show startup-config
show running-config view full
show version