# Looking Glass: Cisco IOS configuration and tips. Cisco IOS support is rather straightforward with IOS versions from the last decade and afterwards. ## Security and user access As security by least privilege is quite efficient, using a restricted user to execute the commands is advised. Of all methods to create a restricted user, we know of two methods to achieve such setup: * Role Based CLI with Views [1][2] + access-class restriction * Privilege exec levels manipulation [3] We highly recommand the first method, though we will document both. ## Configuration: Views method Log in your Cisco router and then in enable mode, type the following commands: ``` router#enable view Password: router#config terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#parser view looking-glass router(config-view)# secret VIEW-ENABLE-PASSWORD router(config-view)# commands exec include all traceroute router(config-view)# commands exec include all ping router(config-view)# commands exec include all show bgp router(config-view)# commands exec include show router(config-view)# exit router(config)#access-list 1 permit IP4-ADDR-OF-YOUR-LOOKING-GLASS router(config)#username lg view looking-glass access-class 1 secret LG-USER-PASSWORD router(config)# end router# write ``` SSH pubkey based authentication is preferred too: ``` router(config)#ip ssh pubkey-chain router(conf-ssh-pubkey)#username lg router(conf-ssh-pubkey-user)#key-string router(conf-ssh-pubkey-data)# ! Input the pubkey BUT WRAP TO ~ 80 CHARS BEFORE PASTING router(conf-ssh-pubkey-data)# end ``` ## Configuration: Privilege exec method Not our preferred method, as it modifies the global behaviour of the Cisco privilege system, but you may still prefer this method… or work with severely outdated IOS :/ Log in your Cisco router and then in enable mode, type the following commands: ``` router#config terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)# privilege exec all level 4 show bgp router(config)# privilege exec all level 4 ping router(config)# privilege exec all level 4 traceroute router(config)#access-list 1 permit IP4-ADDR-OF-YOUR-LOOKING-GLASS router(config)#username lg privilege 4 access-class 1 secret LG-USER-PASSWORD router(config)# end router# write ``` Note that the privilege level used in this example is arbitrary. DISCLAIMER: THIS METHOD WASN'T TESTED AND WON'T BE FOR THE MOMENT! ## Debug Activate SSH Events logging: ``` router#config terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip ssh logging events router(config)# end router# ``` Test the SSH/Telnet connection from the server where the looking glass is installed. Display the resulting logs during your tests: ``` router# show logging Aug 4 2014 01:45:03.012 CEST: %SSH-5-SSH2_USERAUTH: User 'lg' authentication for SSH2 Session from $IP4-ADDR-OF-LG (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1-96' Succeeded Aug 4 2014 01:45:05.104 CEST: %SSH-5-SSH2_CLOSE: SSH2 Session from $IP4-ADDR-OF-LG (tty = 0) for user 'lg' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1-96' closed ``` When done, deactivate SSH Events logging: ``` router#config terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#no ip ssh logging events router(config)# end router# ``` ## References * [1] http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html * [2] http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-network-foundation-protection-nfp/prod_presentation0900aecd80313ff4.pdf * [3] http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html