1 files changed, 104 insertions, 2 deletions

diff --git a/docs/cisco.md b/docs/cisco.md
index 17ad0fe..ac0f4c7 100644
--- a/docs/cisco.md
+++ b/docs/cisco.md
@@ -1,9 +1,111 @@
 # Looking Glass: Cisco IOS configuration and tips.
 
-Easy to deploy Looking Glass made in PHP.
+Cisco IOS support is rather straightforward with IOS versions from the last
+decade and afterwards.
 
 ## Security and user access
 
-## Configuration
+As security by least privilege is quite efficient, using a restricted user to
+execute the commands is advised.
+
+Of all methods to create a restricted user, we know of two methods to achieve
+such setup:
+
+  * Role Based CLI [1][2] + access-class restriction
+  * Privilege exec levels manipulation [3]
+
+We highly recommand the view method, though we will document both.
+
+## Configuration: Views method
+
+Log in your Cisco router and then in enable mode, type the following commands:
+
+```
+router#enable view
+Password:
+
+router#config terminal
+Enter configuration commands, one per line.  End with CNTL/Z.
+router(config)#parser view looking-glass
+router(config-view)# secret VIEW-ENABLE-PASSWORD
+router(config-view)# commands exec include all traceroute
+router(config-view)# commands exec include all ping
+router(config-view)# commands exec include all show bgp
+router(config-view)# commands exec include show
+router(config-view)# exit
+router(config)#access-list 1 permit IP4-ADDR-OF-YOUR-LOOKING-GLASS
+router(config)#username lg view looking-glass access-class 1 secret LG-USER-PASSWORD
+router(config)# end
+router# write
+```
+
+SSH pubkey based authentication is preferred too:
+
+```
+router(config)#ip ssh pubkey-chain
+router(conf-ssh-pubkey)#username lg
+router(conf-ssh-pubkey-user)#key-string
+router(conf-ssh-pubkey-data)#           ! Input the pubkey BUT WRAP TO ~ 80 CHARS BEFORE PASTING
+router(conf-ssh-pubkey-data)# end
+```
+
+## Configuration: Privilege exec method
+
+Not our preferred method, as it modifies the global behaviour of the Cisco
+privilege system, but you may still prefer this method… or work with severely
+outdated IOS :/
+
+Log in your Cisco router and then in enable mode, type the following commands:
+
+```
+router#config terminal
+Enter configuration commands, one per line.  End with CNTL/Z.
+router(config)# privilege exec all level 4 show bgp
+router(config)# privilege exec all level 4 ping
+router(config)# privilege exec all level 4 traceroute
+router(config)#access-list 1 permit IP4-ADDR-OF-YOUR-LOOKING-GLASS
+router(config)#username lg privilege 4 access-class 1 secret LG-USER-PASSWORD
+router(config)# end
+router# write
+```
+Note that the privilege level used in this example is arbitrary.
+
+DISCLAIMER: THIS METHOD WASN'T TESTED AND WON'T BE FOR THE MOMENT!
 
 ## Debug
+
+Activate SSH Events logging:
+
+```
+router#config terminal
+Enter configuration commands, one per line.  End with CNTL/Z.
+router(config)#ip ssh logging events
+router(config)# end
+router#
+```
+
+Test the ssh/telnet connexion from the server where the looking glass is installed.
+
+Display the resulting logs during your tests:
+
+```
+router# show logging
+Aug  4 2014 01:45:03.012 CEST: %SSH-5-SSH2_USERAUTH: User 'lg' authentication for SSH2 Session from $IP4-ADDR-OF-LG (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1-96' Succeeded
+Aug  4 2014 01:45:05.104 CEST: %SSH-5-SSH2_CLOSE: SSH2 Session from $IP4-ADDR-OF-LG (tty = 0) for user 'lg' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1-96' closed
+```
+
+When done, deactivate SSH Events logging:
+
+```
+router#config terminal
+Enter configuration commands, one per line.  End with CNTL/Z.
+router(config)#no ip ssh logging events
+router(config)# end
+router#
+```
+
+## References
+
+[1] http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
+[2] http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-network-foundation-protection-nfp/prod_presentation0900aecd80313ff4.pdf
+[3] http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html