Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
4
Replies

Restricting an Admin user to read-only access on multiple devices

zeu7
Level 1
Level 1

‎07-19-2007 03:37 AM - edited ‎03-09-2019 06:25 PM

I have an admin user located at a remote site that will be connecting to my networks via VPN. He requires only read access to my switches, routers & firewall. Currently we connect to the devices on the network after authentication using AAA. I have a Windows 2003 Server running IAS Radius (Standard) that provides AAA.

How can I restrict his access once connected to the devices to read-only.

Labels:
0 Helpful
4 Replies 4

mattiaseriksson
Level 3
Level 3

‎07-19-2007 05:03 AM

You can put him in non-privileged mode (level 1) without giving him the enable password, that will make sure he can't change anything, but he can use some show commands and run ping and traceroute.

If he needs access to any exec

access, for example to enter debug commands, you can assign him to a different privilege level (2-14), with radius, and then move the commands that he will use to that level using the privilege command.

0 Helpful

zeu7
Level 1
Level 1
In response to mattiaseriksson

‎07-19-2007 07:21 AM

How do I assign his privilege level using Microsoft IAS Radius server

Once its done on the server, I assume that i dont have to define his privilege level on the devices !

0 Helpful

mattiaseriksson
Level 3
Level 3
In response to zeu7

‎07-19-2007 07:37 AM

You need to add a vendor-specific attribute to the user profile: "shell:priv-lvl=1"

(substitute 1 to whatever level you want to grant the user)

But I have no clue how to do that, check the IAS docs.

If you are ok with the non-privileged mode (level 1) access you do not have to define anything on the devices, but if you want to grant access to commands above privilege level 1 you have to define a new privilege level and add some commands to it.

IOS only have level 1 and 15 pre configured.

0 Helpful

zeu7
Level 1
Level 1
In response to mattiaseriksson

‎07-23-2007 02:54 AM

The string you specified was the correct one.

On Windows IAS Server, I did it as follows:

1. Created a new Remote Access Polic

2. To it I added the relevant group

3. Selected: Grant remote access permission

4. Go to: Edit profile

5. Advanced Tab, add: Cisco-AV-Pair, with the value:

shell:priv-lvl=10

or whatever value is required

Then on the Cisco devices:

#aaa authorization exec default group if-authenticated local

#username privilege 10

#privilege exec level 10 show startup-config

This of course assumes you have the other AAA configuration in place.

It worked for me.

0 Helpful
Customers Also Viewed These Support Documents