Mailing List Archive

IOS topic: How to create a read-only user?
Hey there,

I log in to my cisco devices with SSH keys, but I don't think that matters
for the purposes of this.

I'd like to create a "rancid" user for my (cisco, primarily IOS classic)
devices which has full privileges to do things like "show run", but that
has no ability to change the configs.

I know this is possible to do as part of Tacplus, but as I only have three
or four devices, spinning up tacplus seems more complicated than need be.
(This is why I mentioned ssh, just in case -- all my users have local
privilege levels in the config).

I'm sure this has been asked before, but my google-fu is failing me here.

Bonus points if you know this for things like IOS-XR/XE or Junos.

--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: IOS topic: How to create a read-only user? [ In reply to ]
I was about to say "We use TAC+", but since that's not what you're after...
Your best bet would be parser views to do this. It'll give you the best control at the user level, without messing around with privilege levels.
They're a bit of a PITA to setup, though.

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

-----Original Message-----
From: Rancid-discuss [mailto:rancid-discuss-bounces@shrubbery.net] On Behalf Of Dan Mahoney (Gushi)
Sent: Wednesday, November 21, 2018 1:14 PM
To: rancid-discuss@shrubbery.net
Subject: [rancid] IOS topic: How to create a read-only user?

Hey there,

I log in to my cisco devices with SSH keys, but I don't think that matters
for the purposes of this.

I'd like to create a "rancid" user for my (cisco, primarily IOS classic)
devices which has full privileges to do things like "show run", but that
has no ability to change the configs.

I know this is possible to do as part of Tacplus, but as I only have three
or four devices, spinning up tacplus seems more complicated than need be.
(This is why I mentioned ssh, just in case -- all my users have local
privilege levels in the config).

I'm sure this has been asked before, but my google-fu is failing me here.

Bonus points if you know this for things like IOS-XR/XE or Junos.

--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: IOS topic: How to create a read-only user? [ In reply to ]
Wed, Nov 21, 2018 at 01:14:28PM -0800, Dan Mahoney (Gushi):
> I'd like to create a "rancid" user for my (cisco, primarily IOS classic)
> devices which has full privileges to do things like "show run", but that
> has no ability to change the configs.
>
> I know this is possible to do as part of Tacplus, but as I only have three
> or four devices, spinning up tacplus seems more complicated than need be.
> (This is why I mentioned ssh, just in case -- all my users have local
> privilege levels in the config).
>
> I'm sure this has been asked before, but my google-fu is failing me here.
>
> Bonus points if you know this for things like IOS-XR/XE or Junos.

in classic or xe, afaik, the only way is tacacs command authorization.
they require level 15 to read the config - so.... though newer xe
appears to have xr-like roles.

for nx or xr, tacacs author or i _think_ its possible to create roles
or askgroups (depending which you're smoking) particular to the perms
that you want.

that should be enough to seed your google foo.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: IOS topic: How to create a read-only user? [ In reply to ]
Unfortunately the only thing available to you in IOS classis is privlevels and parser views. I just tried IOS XE 16.6, and parser views are there; privlevel is been around everywhere in IOS and IOS XE (and even NX-OS though you have to jump hoops to use it there) since forever. So for IOS Classis, take your pick. Actually I didn’t know about parser views, thank you to Emille for teaching me something.

With priv levels, you define the specific commands available in a privlevel (where the privlevel is either 1 through 14 or 2 though 14, can't remember if 1 is definable), then assign a user to that privlevel and the user is able to use *that specific command* as if it were privlevel 15. With parser views, I'm just reading about it now but from what I can tell it's similar except you can achieve significantly finer-grain control in a number of different ways. I suspect though that privlevels will be quicker to achieve what you're trying to do. It's "dirtier" (I suspect) than parser views, but if you were looking for the most-elegant solution you would have gone with a AAA server so I suspect you're more focused on getting a "good enough" job done quickly, than on getting it done best.

IOS XR and NX-OS have pre-defined read-only roles. You didn’t ask about them, but "eh" these two are pretty easy.

IOS XR isn’t documented formally in 5.3.3, but this article is written by Xander Thujis who (at the time) was the product lead so I think it's trustworthy:
https://community.cisco.com/t5/xr-os-and-platforms/creating-username-passwd-on-ios-xr/m-p/2895304/highlight/true#M7066

NX-OS has had read-only baked-in for years, the specifics depend on the hardware:
https://routing-bits.com/2011/05/24/nexus-user-roles/

weylin
?



On 11/21/18, 4:46 PM, "heasley" <heas@shrubbery.net> wrote:

Wed, Nov 21, 2018 at 01:14:28PM -0800, Dan Mahoney (Gushi):
> I'd like to create a "rancid" user for my (cisco, primarily IOS classic)
> devices which has full privileges to do things like "show run", but that
> has no ability to change the configs.
>
> I know this is possible to do as part of Tacplus, but as I only have three
> or four devices, spinning up tacplus seems more complicated than need be.
> (This is why I mentioned ssh, just in case -- all my users have local
> privilege levels in the config).
>
> I'm sure this has been asked before, but my google-fu is failing me here.
>
> Bonus points if you know this for things like IOS-XR/XE or Junos.

in classic or xe, afaik, the only way is tacacs command authorization.
they require level 15 to read the config - so.... though newer xe
appears to have xr-like roles.

for nx or xr, tacacs author or i _think_ its possible to create roles
or askgroups (depending which you're smoking) particular to the perms
that you want.

that should be enough to seed your google foo.




_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss