Damage Mitigation Accounts
One of the concepts I was able to convince my significant other on was that if I was going to be teaching Cisco at work, I should be using Cisco at home. The commercial routers are much more reliable and overall it has really been worth the investment. After just over a year, one thing that remained an annoyance was her needing to use the CLI to reset our Cable and DSL connections.
In my studies I came across a unique way to solve this problem. The first portion involves setting up a username and password. After that is done you also need to set that account to point to a menu as soon as you logon. This effectively keeps this account from being able to access the CLI.
username spouse.lastname privilege 15 secret 5 $1$JpBN$MvK.1EtlPLCgX6Jt517gY/username spouse.lastname autocommand menu SPOUSE
After the account is created and pointed to the menu, you need to create menu options to choose from. Don’t forget to give your user the option to logoff. It is all fun and games until you can’t leave your router. In this case I have setup the ability to Shutdown/Restart interfaces for both my Cable and DSL connections.
menu SPOUSE text 1 Shutdown Cable Internet
menu SPOUSE command 1 event manager run SHUTC
menu SPOUSE text 2 Restart Cable Internet
menu SPOUSE command 2 event manager run NOSHUTC
menu SPOUSE text 3 Shutdown DSL Internet
menu SPOUSE command 3 event manager run SHUTD
menu SPOUSE text 4 Restart DSL Internet
menu SPOUSE command 4 event manager run NOSHUTD
menu SPOUSE text 5 Logout
menu SPOUSE command 5 exit
To give the menu the ability to done something other than just look pretty on your screen you are going to need to configure EEM (Embedded Event Manager). In this case, EEM issues a series of commands when menu items are selected.
event manager applet SHUTC
event none
action 1.0 cli command “en”
action 2.0 cli command “configure terminal”
action 3.0 cli command “int fa 0/0”
action 4.0 cli command “shutdown”
event manager applet NOSHUTC
event none
action 1.0 cli command “en”
action 2.0 cli command “configure terminal”
action 3.0 cli command “int fa 0/0”
action 4.0 cli command “no shut”
event manager applet SHUTD
event none
action 1.0 cli command “en”
action 2.0 cli command “configure terminal”
action 3.0 cli command “int fa 0/1”
action 4.0 cli command “shutdown”
event manager applet NOSHUTD
event none
action 1.0 cli command “en”
action 2.0 cli command “configure terminal”
action 3.0 cli command “int fa 0/1”
action 4.0 cli command “no shut”
This completes the configuration portion. At this point (assuming telnet or SSH is configured), all you need to do is login to your router with the information you just created. The login should look like this: