[c-nsp] Creating a read-only user for RANCID

Javier Henderson javier at cisco.com
Fri Feb 17 08:26:43 EST 2012 

James,

With the configuration you list below, the switch is doing exec authorization. If your TACACS+ server is sending back a given privilege level (other than 1) you will get the # prompt and the user will be granted that privilege level.

Configuring your TACACS+ server to not assign a privilege level to the rancid user will give you the > prompt and put it at privilege level 1, then you will need to enter the enable command to obtain a higher privilege level.

Javier Henderson
javier at cisco.com


On Feb 17, 2012, at 7:47 AM, James Bensley wrote:

> Hello everyone,
> 
> I am trying to make a read only user on a device for rancid to login
> in with. The problem is that when I telnet in as the rancid user, and
> authenticate, I am dropped strait into priviledge exec mode which has
> a different prompt ('#'- hash, instead of '>' - greater than), which
> throws off the rancid expect script and it justs hangs.
> 
> I have made a custom privilege level for the rancid user but this is
> the part that seems to be the problem. When logging in with my normal
> user, which has the default priviledge level of 15, it doesn't have
> this problem (I drop into user exec mode, and have to type
> enable...etc). Is there perhaps another way around this?
> 
> How can I stop the switch from automatically entering privilidge exec mode?
> 
>    show ver;
>    Cisco IOS Software, C2960 Software (C2960-LANBASE-M)
>    System image file is
> "flash:c2960-lanbase-mz.122-25.SEE3/c2960-lanbase-mz.122-25.SEE3.bin"
>    System image file is
> "flash:c2960-lanbase-mz.122-25.SEE3/c2960-lanbase-mz.122-25.SEE3.bin"
> 
> _
> 
>    show run;
>    username rancid privilege 3 secret 5 aaaaaaaaaa
>    aaa new-model
>    aaa authentication login default local enable
>    aaa authentication enable default enable
>    aaa authorization exec default local
>    !
>    aaa session-id common
>    !
>    privilege exec level 3 show config
> 
> _
> 
>    $ telnet sw1
>    Trying 11.22.33.44...
>    Connected to sw1
>    Escape character is '^]'.
> 
> 
>    User Access Verification
> 
>    Username: rancid
>    Password:
> 
>    sw1#
> 
> 
> Many thanks,
> James.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list