COMPUTER TIPS

How to configure Role-Based CLI Access using Cisco IOS?

 

 

Today we will try to configure Role-Based CLI Access using Cisco router. The main purpose of this configuration is to define the "Views and Superviews" that provides the selective or limited access to Cisco IOS commands. You can restrict your users to run and display some particular commands that are defined in View for particular user.  First time this feature was introduced in 12.3(7)T IOS version. CLI views provide the detailed access control for network administrator to manage over network security and accountability.

 

Configuring a first CLI View with name Five 

In global configuration Mode:

To create the Views, first run the aaa new-model command on router global configuration mode.

Router(config) # aaa new-model

(enable user authentication)

 

Router# exit

Router > enable view

(enable the root view)

 

Router# configure terminal

(enter global configuration Mode)

 

Router(config)# parser view Five

(create a View with name Five)

 

Router(config-view)# secret champion

(assign a secret password to view)

 

Router(config-view)#  commands exec include show running

Router(config-view)#  commands exec include show ip route

(add show running and show ip route commands to this view)

 

Router(config-view)#  exit

(exit from view mode)

 

Router(config)# exit

(exit from global configuration mode)

 

Router# exit

(exit from privileges exec mode)

 

Now to verify the commands access the Five view, run the following command on user exec mode.

Router > enable view Five

Router # ?

Type question mark to verify the commands that are included in Five view.

Now Configuring a second CLI View with name Six

Router# configure terminal

(enter global configuration Mode)

 

Router(config)# parser view Six

(create a View with name Six)

 

Router(config-view)# secret champion1

(assign a secret password to view)

 

Router(config-view)#  commands exec include show startup-config

Router(config-view)#  commands exec include show interface brief

(add show startup-config and show interface brief command to this view)

 

Router(config-view)#  exit

(exit from view mode)

 

Router(config)# exit

(exit from global configuration mode)

 

Router# exit

(exit from privileges exec mode)

 

Now to verify the commands access the Six view, run the following command on user exec mode.

Router > enable view Six

Router # ?

Type question mark to verify the commands that are included in Six view. 

Now adding both CLI Views to a Superview  

You can assign one or more views to a superview and then superview inherit the all commands that are associated with views. 

Router# configure terminal

(enter global configuration Mode)

 

Router(config)# parser view Seven superview

(create a superview with name Seven)

 

Router(config-view)# secret champion2

(assign a secret password to view)

 

Router(config-view)# view Five

(add view Five in superview name Seven)

 

Router(config-view)# view Six

(add view Six in superview name Seven)

Router(config-view)#  exit

(exit from view mode)

 

Router(config)# exit

(exit from global configuration mode)

 

Router# exit

(exit from privileges exec mode)

 

Now to verify the commands access the Seven superview, run the following command on user exec mode.

Router > enable view Seven

Router # show parser view

To verify the commands those are inherit from both views to superview.

      

Suggested Reading

•  Break or recover the router password

•  How to configure the Cisco IOS IDS step by step?

•  Routing Information Protocol (RIP) Configuration

•  Point-To-Point Leased Line Implementation

•  How to configure Stub area in OSPF protocol?

• How to configure site-to-site VPN tunnel using ASA?

•  Router basic Troubleshooting Tips

• How to configure Remote Access VPN using ASA?

• How to perform route summarization using BGP protocol? New

• How to protect EIGRP router from receiving unsigned routing updates?

 

• How to configure Role-Based CLI Access using Cisco IOS? New

• How to configure BGP with local preference attribute?

• How to configure Totally Stub Area in OSPF protocol?

• How to configure BGP between two different autonomous systems?

• How to configure virtual link between different areas in OSPF?

• How to perform unequal-cost load balancing using EIGRP?

•  How to configure Site-to-Site IPsec VPN?

• How configure EIGRP authentication to prevent unauthorized   access?

• How to configure BGP with weight attribute?

•  How to configure OSPF step by step?

• How to perform configuration and convergence between RIP and IGRP protocols?

•  How to configure OSPF with multiple areas?

 

•  Interior Gateway Routing Protocol (IGRP) Configuration

•  Extended IP Access Control List

•  Enhanced Interior Gateway Routing Protocol (EIGRP) Configuration

•  Useful Router commands and configuration

•  Standard IP Access Control List

•  Common Frame Relay Configuration

•  Integrated Services Digital Network (ISDN)