I need to create a read only account on all of my cisco devices..
I haven't really been able to figure out exactly how as all the tutorials i can find on how to do this modifies the privilege 3 level and allows it to execute show command using an alias.. This is now what i want.
I basically want a user account that can login and perform every show command including show run, show ip interface brief, show interface status and so on, but without access to modify the configuration.. I don't care that the person can obtain information in the configuration that will make him or her able to access the router anyway, it is simply because i'am having someone access the equipment who needs to view certain information, but does not have enough knowledge that i trust him or her to make changes to the config..
Does anyone know how to do this without using Radius/TACACS?
Best Answer
Without TACACS, you have to setup a privilege level ("view") that only allows the commands you want them to run. Allowing access to the full config may expose passwords to accounts that have higher access than they do -- eventually, they'll figure that out and bypass such weak controls.
TACACS is really the direction you need to move. However, I do understand not wanting that headache.