Damage Mitigation Accounts

One of the concepts I was able to convince my significant other on was that if I was going to be teaching Cisco at work, I should be using Cisco at home.  The commercial routers are much more reliable and overall it has really been worth the investment.  After just over a year, one thing that remained an annoyance was her needing to use the CLI to reset our Cable and DSL connections.

In my studies I came across a unique way to solve this problem.  The first portion involves setting up a username and password.  After that is done you also need to set that account to point to a menu as soon as you logon.  This effectively keeps this account from being able to access the CLI.

username spouse.lastname privilege 15 secret 5 $1$JpBN$MvK.1EtlPLCgX6Jt517gY/
username spouse.lastname autocommand menu SPOUSE

After the account is created and pointed to the menu, you need to create menu options to choose from.  Don’t forget to give your user the option to logoff.  It is all fun and games until you can’t leave your router.  In this case I have setup the ability to Shutdown/Restart interfaces for both my Cable and DSL connections.

menu SPOUSE text 1 Shutdown Cable Internet
menu SPOUSE command 1 event manager run SHUTC
menu SPOUSE text 2 Restart Cable Internet
menu SPOUSE command 2 event manager run NOSHUTC
menu SPOUSE text 3 Shutdown DSL Internet
menu SPOUSE command 3 event manager run SHUTD
menu SPOUSE text 4 Restart DSL Internet
menu SPOUSE command 4 event manager run NOSHUTD
menu SPOUSE text 5 Logout
menu SPOUSE command 5 exit 

To give the menu the ability to done something other than just look pretty on your screen you are going to need to configure EEM (Embedded Event Manager).  In this case, EEM issues a series of commands when menu items are selected.

event manager applet SHUTC
 event none
 action 1.0 cli command “en”
 action 2.0 cli command “configure terminal”
 action 3.0 cli command “int fa 0/0”
 action 4.0 cli command “shutdown”
event manager applet NOSHUTC
 event none
 action 1.0 cli command “en”
 action 2.0 cli command “configure terminal”
 action 3.0 cli command “int fa 0/0”
 action 4.0 cli command “no shut”
event manager applet SHUTD
 event none
 action 1.0 cli command “en”
 action 2.0 cli command “configure terminal”
 action 3.0 cli command “int fa 0/1”
 action 4.0 cli command “shutdown”
event manager applet NOSHUTD
 event none
 action 1.0 cli command “en”
 action 2.0 cli command “configure terminal”
 action 3.0 cli command “int fa 0/1”
 action 4.0 cli command “no shut”

This completes the configuration portion.  At this point (assuming telnet or SSH is configured), all you need to do is login to your router with the information you just created.  The login should look like this:

All you need to need to do is push a number on a keypad and the specified action is completed.  The system will not provide you any feedback, so if you want to verify the configuration takes place, login to the CLI from another account and monitor the console messages.
The next question is, would there be a tactical use for this?  If you have a TACACS+ server, you could easily re-create these limitations but you might not always have a TACACS+ server in the field.  If you are forced to create someone an account that you believe is dangerous if given access to the CLI this would be a great tactical fix for your problem.

Written by

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.