Sunday 5 May 2013

Role-Based Access Control

The Role-Based CLI Access feature allows the network administrator to define "views" which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information.

Root View
When a system is in "root view," it has all of the access privileges as a user who has level 15 privileges. If the administrator wishes to configure any view to the system (such as a CLI view, a superview, or a lawful intercept view), the system must be in root view.
The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. Also, when you are in a CLI view, you have access only to the commands that have been added to that view by the root view user.

Superviews
A superview consists of one or more CLI views, which allow users to define what commands are accepted and what configuration information is visible. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users.

Superviews contain these characteristics:
•A CLI view can be shared among multiple superviews.
•Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview.
•Users who are logged into a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.
•Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
•If a superview is deleted, all CLI views associated with that superview will not be deleted too.

Authentication via a New AAA Attribute

View authentication is performed by an external authentication, authorization, and accounting (AAA) server via the new attribute "cli-view-name."
AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
  • Configuring a CLI View (required)
    • aaa new model must be enabled
aaa new-model 
    • Enables root view
enable view
    • Creates a view and enters view configuration mode
parser view view-name
    • Configure the password for the view
secret 5 encrypted-password
    • Adds exec or config commands to a view
commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
      • include—Adds a command or an interface to the view and allows the same command or interface to be added to an additional view.
      • include-exclusive—Adds a command or an interface to the view and excludes the same command or interface from being added to all other views.
      • exclude—Excludes a command or an interface from the view; that is, customers cannot access a command or an interface.
      • all—A "wildcard" that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view.
      • interface interface-name—Interface that is added to the view.
      • command—Command that is added to the view.
  • Configuring a Superview (optional)
    • Enables root view. 
enable view
    • Creates a superview and enters view configuration mode.
 parser view superview-name superview
    •  Associates a CLI view or superview with a password.
secret 5 encrypted-password
    • Adds a normal CLI view to a superview
view view-name

Example:
 parser view CLI_VIEW_1
 secret 5 $1$3R6N$Z3dleEBoQkgtfrladEprt.
 commands interface include all ip
 commands configure include interface
 commands exec include configure terminal
 commands exec include configure
 commands exec include show interfaces
 commands exec include show running-config
 commands exec include show
 commands configure include interface FastEthernet1/0

parser view CLI_VIEW_2
 secret 5 $1$B1y2$KmkRM.QupXXPcCfoyNc9q/
 commands configure include interface
 commands exec include configure terminal
 commands exec include configure
 commands configure include interface FastEthernet1/1

parser view SUPERVIEW superview
 secret 5 $1$njZX$7xJL6nSgKfLtWNAfAOw8W.
 view CLI_VIEW_1
 view CLI_VIEW_2
  • Monitoring Views and View Users (optional)
R1#show parser view
Current view is 'root'
R1#show parser view all
Views/SuperViews Present in System:
 CLI_VIEW_1
 CLI_VIEW_2
 SUPERVIEW *
-------(*) represent superview-------

 R1#show parser dump ?  

R1#enable view SUPERUSER
Password:
R1#show parser view
Current view is 'SUPERVIEW'
R1#?
Exec commands:
  configure  Enter configuration mode
  enable     Turn on privileged commands
  exit       Exit from the EXEC
  show       Show running system information
R1#show ?
  bootflash:      display information about bootflash: file system
  disk0:          display information about disk0: file system
  disk1:          display information about disk1: file system
  flash:          display information about flash: file system
  interfaces      Interface status and configuration
  parser          Show parser commands
  running-config  Current operating configuration
  slot0:          display information about slot0: file system
  slot1:          display information about slot1: file system
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#?
Configure commands:
  do         To run exec commands in config mode
  exit       Exit from configure mode
  interface  Select an interface to configure
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)