Cisco routers are doing so many more things today other than routing that I frequently get
asked how can I give such and such group limited, specific access to my router? A common example of this I run into is a customer has routers that are running multiple services: firewall, IPS, VPN, QoS, Voice Gateway, oh and of course routing. The network team typically owns exclusive admin privileges to the router but is frequently in need of providing other groups with limited, controlled access to their gear. The security team wants access to the IPS configuration, the voice group wants access to the voice gateway, the NOC support guys want access for troubleshooting, etc. etc. The bottom line is folks want to know how to configure their cisco routers to perform easy, yet granular, role-based access control.
 |
| Role Based Views |
Available in Cisco IOS® Software Release 12.3(7)T. Up to Sixteen CLI Views-
- Role-based views,
- One “root” view,
- Up to fifteen custom views,
- Standard feature in all Cisco IOS Software images.
The Cisco® Router and Security Device Manager (SDM) can create and delete four predefined views for Cisco SDM users:
- SDM_Administrator(root)- A user associated to this view type has complete access to the Cisco SDM, and can perform all operations supported by the Cisco SDM.
- SDM_Monitor- A user associated to this view type can monitor all the features supported by the Cisco SDM, but cannot deliver configurations using the Cisco SDM. The user can navigate the various areas of Cisco SDM, such as the Interfaces and Connections, Firewall, and VPN features. However, the user interface components in these areas are disabled.
- SDM_Firewall- A user associated to this view type can use the Cisco SDM Firewall and Monitor features. The user can configure firewalls and access control lists (ACLs) using the Firewall wizard, Firewall Policy View, Inspect Rule Editor, and the ACL Editor. The user can associate or disassociate ACLs and Inspect rules from Interfaces and Connections; user interface components in other areas are disabled for this user.
- SDM_EasyVPN_Remote- A user associated to this view type can use the Cisco SDM Easy VPN Remote features. The user can create Easy VPN Remote connections and edit them. User interface components in other areas are disabled for this user.
There are four types of views:
- CLI view- where you configure your view policy for a particular role.
- Root View- the mode you must be in on the router in order to configure a cli view (must be in privilege 15).
- Super View- collection and merging of multiple cli views.
- Lawful Intercept View- Lawful Intercept user can only access lawful intercept commands that are held within the TAP-Management Information Base (MIB).
Prerequisite Configuration:
• The “enable” password must exist
Password encryption is recommended
For better security, use “enable secret” password
To access root view the passwords are:
Enable secret (if present)
Enable password (if enable secret is not present)
• AAA must first be enabled with the aaa new-modelcommand
• Root view user must have privilege fifteen level assigned via the privilege command
Solve Lab 22: Role Based CLI
Configuration:
R1#enable view
% AAA must be configured.
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#aaa new-model
R1(config)#end
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#aaa new-model
R1(config)#end
R1#enable view root
Please enter your password:
Please enter your password:
% prompted for the enable password
R1#
Sep 7 22:51:47.297: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#sh privilege
Currently in View Context with view 'root'
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view HELPDESK
R1(config-view)#
Sep 7 23:16:40.889: %PARSER-6-VIEW_CREATED: view 'HELPDESK' successfully created.
Sep 7 22:51:47.297: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#sh privilege
Currently in View Context with view 'root'
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view HELPDESK
R1(config-view)#
Sep 7 23:16:40.889: %PARSER-6-VIEW_CREATED: view 'HELPDESK' successfully created.
R2(config-view)#commands exec ?
exclude Exclude the command from the view
include Add command to the view
exclude Exclude the command from the view
include Add command to the view
include-exclusive Include in this view but exclude from others
R1(config-view)#commands exec include show version
% Password not set for the view HELPDESK
% Password not set for the view HELPDESK
% Initailly, I am unable to configure commands. Configuring a secret is mandatory prior to allowing any commands.
R1(config-view)#secret cisco1
R1(config-view)#commands exec include show version
R1(config-view)#secret cisco1
R1(config-view)#commands exec include show version
R2(config-view)#commands exec include show ip interface
R2(config-view)#exit
R2#enable view HELPDESK
Please enter your password:
R2#
Sep 8 06:02:17.324: %PARSER-6-VIEW_SWITCH: successfully set to view 'HELPDESK'.
R2#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R2#show ?
flash: display information about flash: file system
ip IP information
parser Show parser commands
R2#show ip ?
interface IP interface status and configuration
R2#show ip interface
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.4.4/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
Please enter your password:
R2#
Sep 8 06:02:17.324: %PARSER-6-VIEW_SWITCH: successfully set to view 'HELPDESK'.
R2#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R2#show ?
flash: display information about flash: file system
ip IP information
parser Show parser commands
R2#show ip ?
interface IP interface status and configuration
R2#show ip interface
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.4.4/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
No comments:
Post a Comment