A New Name

Beginning December 17th, 2014, http://rowell.dionicio.net will now be known as Packet6,packet6.com, which is now hosted on WP Engine. I decided to rebrand the blog to focus primarily on routing, switching, and wireless.

I apologize for any confusion if you were expecting to see http://rowell.dionicio.net.

As a side note, Packet6 is much easier to say and remember ;)

Please update your feeds to http://www.packet6.com/feed

Killing 2.4GHz Wifi

Wifi is a fantastic technology. For most people, it is easy to turn on an AP and forget about it. It may work at home but it can have negative affects in the workplace. I was called in to assist my colleagues at an environment where users were having terrible wireless experiences. The end users rely on wifi quite a bit and more often during meetings.

The coverage for the office was great but end users were having issues on the 2.4GHz spectrum. My colleague had done some testing and verified that anyone on channels 1 and 6 were getting good connectivity. Once you were on channel 11 you could barely connect to a local server and you were lucky if you could successfully associate to the SSID.

Once that news was passed to me I knew it had to be interference. So time to launch my spectrum analyzer, Chanalyzer, and the Wi-Spy DBx from Metageek. Right away, channel 11 began to visualize in red on the Overview pane. I walked around the office looking for the signal to get stronger. This is where I wish I had the Device Finder.

Interference colored in red

Interference colored in red

Chanalyzer colors activity above 50% at an amplitude point red. The problem was easy to to find. I came across a consumer level Netgear AP with blinky lights. As soon as it was unplugged Chanalyzer changed density colors from red to yellow to green and it soon faded away.

Turns out, someone in R&D was using the AP to perform wireless multicast testing with mobile devices. The IT staff onsite is now transitioning mostly to 5GHz and I support them 100%!

Post-spectrum once interference was removed.

Post-spectrum once interference was removed.

How To Create a Read Only User in Cisco IOS

Sometimes you will have vendors or junior network administrators needing access to your network equipment. Giving them the keys to the kingdom is not the best decision. Additionally, you’ll need to change the password after the vendor is finished. Or you forget to remove that vendor’s full access account from your router. A safer method is to create a read only account. This is done using privilege levels built into Cisco IOS.

With this method you are using the local database of the router/switch to create a read only user account. The ideal way to grant permissions is to use TACACS+ but that is another discussion.

Create your user accounts

Cisco uses privilege levels to determine what a user account will have access to on the device. There are 16 privilege levels but the system will have two already configured. The rest of the levels are for you to modify. Privilege level 15 is the highest level and is similar to a root user. Privilege level 1 is the lowest of the levels and basically can’t do anything.

Make sure you have an account with full permissions to the device. Then configure a new user for your read only account. I will use privilege level 3 for the read only account.

R1(config)#username admin privilege 15 secret Secret01
R1(config)#username readonly privilege 3 secret ReadOnly03

Of course, use much stronger passwords than the ones I have used above. This is just for lab purposes.

Enable Password Checking

Next, I will apply enable password checking on the vty lines. When a user tries to SSH into my router, they will be prompted for a username and password. Those credentials will be looked up on the local database and if there’s a match, the user is allowed into the router.

R1(config)#line vty 0 15
R1(config-line)#login local

Verify Login

With login local configured for my vty lines, I will attempt to ssh into R1 from R2 using my readonly account.

R2#ssh -l readonly
R1#conf t
% Invalid input detected at '^' marker.

I am able to ssh into R1 but because I have assigned a privilege level 3 to the account, it can’t really perform any changes or even view the running config file. What we will now configure are commands privilege level 3 users can issue on the CLI. Because this is going to be a read only account, I want to give the user privileges to just see the running config file.

Configure Privilege Level 3 Commands

Continue Reading…