asked on
Help creating a custom privilege level in a Cisco switch or router
Hello Experts,
I have been asked to create an account on my network equipment that will be used by a security appliance that our security team is putting in to check the equipment for vulnerabilities. The utility is going to SSH into each device and needs to be able to run the following commands:
• Terminal length 0
• Enable
• Show running-config
• Show arp
• Show interfaces
• Show mac address-table
• Show interfaces trunk
• Show ip route
• Show ip route vrf *
• Show access-list (aci_name)
My thought is I will create a custom privilege level and assign that privilege level to a local account (we don’t have a RADIUS or TACACS+ server). I have done quite a bit of reading on this and the configuration that I think I will use is given below. However I don’t have any test equipment to run this on and I don’t have any IOS images to load into GNS3, so I thought I would post it here for review.
SW1> en
SW1# config t
SW1(config)# user SEC-APP-SHOWONLY privilege 3 password Cisco123
SW1(config)# privilege exec level 3 terminal length 0
SW1(config)# privilege exec level 3 enable
SW1(config)# privilege exec level 3 show running-config
SW1(config)# privilege exec level 3 show arp
SW1(config)# privilege exec level 3 show interfaces
SW1(config)# privilege exec level 3 show mac address-table
SW1(config)# privilege exec level 3 show interfaces trunk
SW1(config)# privilege exec level 3 show ip route
SW1(config)# privilege exec level 3 show ip vrf *
SW1(config)# privilege exec level 3 show access-list (aci_name)
My questions are these:
1. Will the configuration above work? By work, I mean could I log into a switch or router with this configuration using the username and password given in the config above and only be able to run these commands? I definitely don’t want the security team or their appliance to be able to get into global configuration mode.
2. If the configuration above will not work, I have read that I can create different views in the Cisco IOS. If I have to go this route, do I create a user and custom privilege level as above and then the view and somehow assign the view to the user?
Thanks in advance for your help and expertise on this.
Nick
I have been asked to create an account on my network equipment that will be used by a security appliance that our security team is putting in to check the equipment for vulnerabilities. The utility is going to SSH into each device and needs to be able to run the following commands:
• Terminal length 0
• Enable
• Show running-config
• Show arp
• Show interfaces
• Show mac address-table
• Show interfaces trunk
• Show ip route
• Show ip route vrf *
• Show access-list (aci_name)
My thought is I will create a custom privilege level and assign that privilege level to a local account (we don’t have a RADIUS or TACACS+ server). I have done quite a bit of reading on this and the configuration that I think I will use is given below. However I don’t have any test equipment to run this on and I don’t have any IOS images to load into GNS3, so I thought I would post it here for review.
SW1> en
SW1# config t
SW1(config)# user SEC-APP-SHOWONLY privilege 3 password Cisco123
SW1(config)# privilege exec level 3 terminal length 0
SW1(config)# privilege exec level 3 enable
SW1(config)# privilege exec level 3 show running-config
SW1(config)# privilege exec level 3 show arp
SW1(config)# privilege exec level 3 show interfaces
SW1(config)# privilege exec level 3 show mac address-table
SW1(config)# privilege exec level 3 show interfaces trunk
SW1(config)# privilege exec level 3 show ip route
SW1(config)# privilege exec level 3 show ip vrf *
SW1(config)# privilege exec level 3 show access-list (aci_name)
My questions are these:
1. Will the configuration above work? By work, I mean could I log into a switch or router with this configuration using the username and password given in the config above and only be able to run these commands? I definitely don’t want the security team or their appliance to be able to get into global configuration mode.
2. If the configuration above will not work, I have read that I can create different views in the Cisco IOS. If I have to go this route, do I create a user and custom privilege level as above and then the view and somehow assign the view to the user?
Thanks in advance for your help and expertise on this.
Nick
CiscoSwitches / HubsNetwork Management
Last Comment
Andy Bartkiewicz