DDoS attack emergency?

Using Cisco Privilege Level to provide Read Only Show Run User

See the associated video here.

  1. Add the new user and required privilege level to your device in config mode:

    username cisco priv 3 secret cisco

    This example shows adding a user of ‘cisco’ at privilege level 3 with a password of ‘cisco’.

  2. Add the commands you wish the privilege level to have:

    privilege exec level 3 show run
    privilege exec level 3 show start
    privilege exec level 3 show running-config view
    privilege exec level 3 show running-config view full
    privilege exec level 3 more system:running-config
    privilege exec level 3 show conf
    privilege exec level 3 configure terminal
    privilege configure all level 3 clock

    This example gives them access to the above commands, including config access to change the clock settings.

  3. Allow file access for the privilege level:

    file privilege 3

    Without this, you cannot actually view contents of flash and nvram, the commands run, but provide no useful output.

  4. Optional: Apply aaa new model commands.

    If using no aaa new-model in your config, then the above will work without further changes. Otherwise:

    aaa new-model
    aaa authentication login default local
    aaa authentication enable default enable
    aaa authorization console
    aaa authorization exec default local

    If the additional attributes are not added, it is possible your new user will be elevated to level 15.

 

Bear in mind that the enable secret will always allow users to move to privileged level 15, so do not provide the reduced access users the enable password.

 

Watch the video for clear explanations about each command.

back to top