Privilege level for Arista EOS

For authenticated scanning of Arista EOS devices you'll need to provide a user account with privilege level 15 (recommended) or an account with a lower privilege level as long as the account has been configured so that it's able to execute all of the commands that are required for scanning these devices.  

Important - Please be aware that sensitive configurations could be at risk when you grant access to commands to a user account with a lower privilege level. Please assign the appropriate privilege level per your business needs and your organization's security policies.

Commands required for scanning

show banner login
show banner motd
show interface status
show logging
show running-config all

Privilege levels

By default, the three privilege levels are:

Level 0 - Includes only basic commands (disable, enable, exit, help, and logout)

Level 1 - Includes all commands available at the User EXEC command mode

Level 15 - Includes all commands available at the Privileged EXEC command mode

The levels between these minimum and maximum levels are undefined until the administrator assigns commands and/or users to them. Therefore, the administrator can assign users different privilege levels in between these minimum and maximum privilege levels to separate what different users have access to.

How to create a scan user account on the system to scan

1) Add a new user with privilege level and role. In this example, the user "qualys_scan" has privilege level 2 and the role "qualys".

vsveos415(config)#username qualys_scan privilege 2 role qualys secret test123

2) Configure the role in order to "permit" or "deny" users to execute certain commands. You'll need to permit all of the commands that are required for scanning (as shown above).  

vsveos415(config)#role qualys
vsveos415(config-role-qualys)#10 permit mode exec command show logging
vsveos415(config-role-qualys)#11 permit mode exec command show banner login
vsveos415(config-role-qualys)#12 permit mode exec command show banner motd
vsveos415(config-role-qualys)#13 permit mode exec command show interface status
vsveos415(config-role-qualys)#14 permit mode exec command show running-config all
vsveos415(config-role-qualys)#exit

3) Log in with the newly added user and confirm that you can access permitted commands.

 

Quick Links

Why use host authentication?

Set Up Cisco Authentication

Set Up Unix Authentication