7 Posts
0
2226
August 31st, 2021 11:00
Dell N-Series - ReadOnly account can elevate to ReadWrite
Hi!
I am searching for a solution for days, but cannot get it running:
On Dell N4000 and Dell N2000 devices, I need to setup a ReadOnly-account without using an additional enable password.
According to the docs, I created a new account:
username rouser password MYPASSWORD privilege 1
This user is a perfect read-only user at the WebGUI, but it can login through Telnet/SSH and elevate to a full read-write-account by just writing "enable".
I tried different aaa-configs, but have never been able to create a real read-only-account along to my other full "privilege 15"-accounts. I am not able to use an additional "shared-enable-password".
I am just using "local" users (no tacacs, radius, etc.).
Can you help me?
Thank you and best wishes!
Stril
DELL-Erman O
Moderator
•
2.8K Posts
1
September 1st, 2021 02:00
Hi,
interestingly I didn't know why a read-only username wouldn't work. I wouldn't expect something like this to happen. Alternatively, Could you try to create it like below
(config)#
(config)#admin-profile Test
(admin-profile)#rule 1 permit mode user-exec
(admin-profile)#rule 2 permit mode privileged-exec
(config)#username password admin-profile Test
Best Regards,
DELL-Josh Cr
Moderator
•
9.2K Posts
0
August 31st, 2021 15:00
Hi Stril,
Have you tried user level 0? It is restricted from privileged exec. Page 906 https://dell.to/3kFFRyA
Stril
7 Posts
0
August 31st, 2021 23:00
Hi!
Thank you for your answer!
privilege-0-users are not able to login at CLI:
--> User Blocked
Do you have any idea on how to get a read-only-user?
Best wishes,
Stril
Stril
7 Posts
0
September 1st, 2021 01:00
Hi!
I am totally open on how to do it, but the KB seems to be wrong on writing "privilege 1 is read-only". That is not the case.
Can you tell me how to get a read-only account, if my way is wrong/not possible?
Level-1 seems only to be read-only for web-gui and full-featured for CLI.
Thank you for your help
Stril
DELL-Erman O
Moderator
•
2.8K Posts
0
September 1st, 2021 01:00
Hello,
You should be able to set level 1 to very limited read-only, but I'm not sure there's a way to do it the way you want, although I've been digging a lot. https://dell.to/2Yhj8kX
Stril
7 Posts
1
September 1st, 2021 10:00
Hi Erman!
Thank you for your answer. admin-profiles are able to solve the problem, but your "rule 2" is too much. With it, the user is able to change the config (no more read-only).
Perhaps, you want to inform your dev-team, that there is a bug or at least an issue with the documentation, as a "web-read-only-user" is automatically able to change the whole config via telnet/ssh.
Thank you and best wishes
DELL-Josh Cr
Moderator
•
9.2K Posts
0
September 1st, 2021 15:00
What version is the firmware at? If it is not up to date it is possible it something that was resolved with an update.
Stril
7 Posts
0
September 2nd, 2021 23:00
Hi!
I did the tests with the latest released version (6.6.3.14)