[rancid] IOS topic: How to create a read-only user?
Piegorsch, Weylin William
weylin at bu.edu
Fri Nov 23 05:50:21 UTC 2018
Unfortunately the only thing available to you in IOS classis is privlevels and parser views. I just tried IOS XE 16.6, and parser views are there; privlevel is been around everywhere in IOS and IOS XE (and even NX-OS though you have to jump hoops to use it there) since forever. So for IOS Classis, take your pick. Actually I didn’t know about parser views, thank you to Emille for teaching me something.
With priv levels, you define the specific commands available in a privlevel (where the privlevel is either 1 through 14 or 2 though 14, can't remember if 1 is definable), then assign a user to that privlevel and the user is able to use *that specific command* as if it were privlevel 15. With parser views, I'm just reading about it now but from what I can tell it's similar except you can achieve significantly finer-grain control in a number of different ways. I suspect though that privlevels will be quicker to achieve what you're trying to do. It's "dirtier" (I suspect) than parser views, but if you were looking for the most-elegant solution you would have gone with a AAA server so I suspect you're more focused on getting a "good enough" job done quickly, than on getting it done best.
IOS XR and NX-OS have pre-defined read-only roles. You didn’t ask about them, but "eh" these two are pretty easy.
IOS XR isn’t documented formally in 5.3.3, but this article is written by Xander Thujis who (at the time) was the product lead so I think it's trustworthy:
https://community.cisco.com/t5/xr-os-and-platforms/creating-username-passwd-on-ios-xr/m-p/2895304/highlight/true#M7066
NX-OS has had read-only baked-in for years, the specifics depend on the hardware:
https://routing-bits.com/2011/05/24/nexus-user-roles/
weylin
On 11/21/18, 4:46 PM, "heasley" <heas at shrubbery.net> wrote:
Wed, Nov 21, 2018 at 01:14:28PM -0800, Dan Mahoney (Gushi):
> I'd like to create a "rancid" user for my (cisco, primarily IOS classic)
> devices which has full privileges to do things like "show run", but that
> has no ability to change the configs.
>
> I know this is possible to do as part of Tacplus, but as I only have three
> or four devices, spinning up tacplus seems more complicated than need be.
> (This is why I mentioned ssh, just in case -- all my users have local
> privilege levels in the config).
>
> I'm sure this has been asked before, but my google-fu is failing me here.
>
> Bonus points if you know this for things like IOS-XR/XE or Junos.
in classic or xe, afaik, the only way is tacacs command authorization.
they require level 15 to read the config - so.... though newer xe
appears to have xr-like roles.
for nx or xr, tacacs author or i _think_ its possible to create roles
or askgroups (depending which you're smoking) particular to the perms
that you want.
that should be enough to seed your google foo.
More information about the Rancid-discuss
mailing list