Restricting an Admin user to read-only access on multiple devices

Unanswered Question
Jul 19th, 2007
User Badges:

I have an admin user located at a remote site that will be connecting to my networks via VPN. He requires only read access to my switches, routers & firewall. Currently we connect to the devices on the network after authentication using AAA. I have a Windows 2003 Server running IAS Radius (Standard) that provides AAA.

How can I restrict his access once connected to the devices to read-only.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Thu, 07/19/2007 - 05:03
User Badges:
  • Bronze, 100 points or more

You can put him in non-privileged mode (level 1) without giving him the enable password, that will make sure he can't change anything, but he can use some show commands and run ping and traceroute.

If he needs access to any exec

access, for example to enter debug commands, you can assign him to a different privilege level (2-14), with radius, and then move the commands that he will use to that level using the privilege command.

marksenteza Thu, 07/19/2007 - 07:21
User Badges:

How do I assign his privilege level using Microsoft IAS Radius server

Once its done on the server, I assume that i dont have to define his privilege level on the devices !

mattiaseriksson Thu, 07/19/2007 - 07:37
User Badges:
  • Bronze, 100 points or more

You need to add a vendor-specific attribute to the user profile: "shell:priv-lvl=1"

(substitute 1 to whatever level you want to grant the user)

But I have no clue how to do that, check the IAS docs.

If you are ok with the non-privileged mode (level 1) access you do not have to define anything on the devices, but if you want to grant access to commands above privilege level 1 you have to define a new privilege level and add some commands to it.

IOS only have level 1 and 15 pre configured.

marksenteza Mon, 07/23/2007 - 02:54
User Badges:

The string you specified was the correct one.

On Windows IAS Server, I did it as follows:

1. Created a new Remote Access Polic

2. To it I added the relevant group

3. Selected: Grant remote access permission

4. Go to: Edit profile

5. Advanced Tab, add: Cisco-AV-Pair, with the value:


or whatever value is required

Then on the Cisco devices:

#aaa authorization exec default group if-authenticated local

#username privilege 10

#privilege exec level 10 show startup-config

This of course assumes you have the other AAA configuration in place.

It worked for me.


This Discussion