?
Solved

read only access to router via ssh

Posted on 2011-09-23
3
Medium Priority
?
363 Views
Last Modified: 2012-08-14
Can you tell me how to setup a user account on a cisco router so that he will only have read only access via SSH

thanks
0
Comment
Question by:FREDARCE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36589030
Have to use command authorization.   The user has to be authenticated and then they're assigned a "level".  Command authorization is used to authorize commands at various levels.  In your case, you'd allow 'show run" but not "config  term".  See http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 1000 total points
ID: 36592166
At a basic level - all you need is:

aaa new-model

some versions of IOS don't allow the secret option for the username password encryption. If not then you'll have to use the cleartext version.

username <Username> privilege 1 secret <password>

or

username <Username> privilege 1 password <password>

You can also extend the privilege level using "privilege exec" and "privilege configure" to give access to features not available at a particular level.


0
 
LVL 1

Assisted Solution

by:DvonHoltz
DvonHoltz earned 1000 total points
ID: 36593006
I agree with rochey2009 on the commands, just a quick note on privilege levels

    privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
    privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
    privilege level 15 — Includes all enable-level commands at the router# prompt.

Also if you use "password <password>" ensure you use "service password-encryption" or all passwords will be plain text. also be aware that there are a lot of websites that can crack passwords done in this way. If security of passwords is important, than always use  "service password-encryption" and "username <Username> privilege <X> secret <password>"  
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question