[rancid] IOS topic: How to create a read-only user?

heasley heas at shrubbery.net
Wed Nov 21 21:46:45 UTC 2018


Wed, Nov 21, 2018 at 01:14:28PM -0800, Dan Mahoney (Gushi):
> I'd like to create a "rancid" user for my (cisco, primarily IOS classic) 
> devices which has full privileges to do things like "show run", but that 
> has no ability to change the configs.
> 
> I know this is possible to do as part of Tacplus, but as I only have three 
> or four devices, spinning up tacplus seems more complicated than need be. 
> (This is why I mentioned ssh, just in case -- all my users have local 
> privilege levels in the config).
> 
> I'm sure this has been asked before, but my google-fu is failing me here.
> 
> Bonus points if you know this for things like IOS-XR/XE or Junos.

in classic or xe, afaik, the only way is tacacs command authorization.
they require level 15 to read the config - so....  though newer xe
appears to have xr-like roles.

for nx or xr, tacacs author or i _think_ its possible to create roles
or askgroups (depending which you're smoking) particular to the perms
that you want.

that should be enough to seed your google foo.



More information about the Rancid-discuss mailing list