--- title: "Configuration Examples" slug: "configuration-examples" description: "Configure read-only SSH for Cisco, Juniper, and Arista devices. Enable Kentik’s AI-Assisted NetOps for automated network insights and diagnostics." updated: 2026-03-04T22:32:59Z published: 2026-03-04T22:32:59Z --- > ## Documentation Index > Fetch the complete documentation index at: https://kb.kentik.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuration Examples To allow Kentik’s [**AI Advisor**](/v1/docs/ai-advisor) to pull configuration state and run diagnostic commands, the Universal Agent requires read-only SSH access to your network devices. Below are the standard configuration snippets for creating a local read-only user (e.g., `kentik_ro`) on our supported platforms. ## Juniper Junos Junos has a built-in `read-only` login class that provides the exact permissions the Kentik Agent needs to view configurations and run operational `show` commands without the ability to alter the system. ```plaintext configure set system login user kentik_ro class read-only set system login user kentik_ro authentication plain-text-password ! Enter password when prompted set system services ssh commit ``` ## Cisco NX-OS (Nexus) For Nexus devices, the built-in `network-operator` role restricts the user to read-only access, preventing any configuration changes while allowing full visibility into the device state. ```plaintext configure terminal feature ssh username kentik_ro password 0 role network-operator exit copy running-config startup-config ``` ## Arista EOS Similar to NX-OS, Arista EOS utilizes a `network-operator` role. Assigning this to the Kentik service account ensures secure, read-only API and CLI access. ```plaintext configure terminal management ssh   server enable exit username kentik_ro privilege 1 secret role network-operator exit write memory ``` ## Cisco IOS / IOS-XE Cisco IOS-XE requires slightly more care. Because the `show running-config` command natively requires Privilege Level 15, the safest local approach is to create a Level 15 user but restrict them to a read-only Parser View. > [!NOTE] > **Note**: If you use TACACS+, simply authorize `show` commands and deny `configure terminal`). ```plaintext configure terminal aaa new-model ! Enable secret is required to use parser views enable secret ! Create a read-only view parser view kentik-view secret 5 commands exec include all show ! specifically ensure show run is allowed commands exec include show running-config exit ! Create the user and assign them to this view username kentik_ro view kentik-view secret exit write memory ```