Chase Pettet

I enjoy collaborating to build safely useful products, platforms, and services.

less than 1 minute read

If you have tiered levels of administrators, or you want to create an account for automation purposes best practice is to define a custom security level in IOS.

Levels 1 and 15 are defined by default.

Allowing lower levels to see your configuration: IOS

conf t
username backup privilege 3 secret <SECRET>
privilege exec level 3 show startup-config
privilege exec level 3 show
wr mem

Allowing lower levels to see your configuration: FreeRADIUS:

/etc/freeradius/users

backup
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=3",
    Auth-Type = System,

Defining the next user tier for NAT information: IOS

conf t
username natinfo privilege 4 secret <SECRET>
privilege exec level 4 show nat64 statistics
wr mem

Defining the next user tier for NAT information: FreeRADIUS

natinfo
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=4",
    Auth-Type = System,

Notes

  • Permissions stack up which means a user at Level 4 can also issue ‘show startup-configuration’
  • show running-config command does not work in this way for the IOS devices I have tried.

You May Also Enjoy

21 Musings From Incident Response

7 minute read

These are my personal anecdotal conclusions and I totally appreciate it may not line up with anyone else’s. This is US centric, as that is my experience, a...

Specialty Packet Capture

3 minute read

Situations where it’s useful to analyze traffic: Don’t have access to the logs Want to look at traffic somewhere upstream like an LB Something is mak...