Please enable JavaScript.
Coggle requires JavaScript to display documents.
5. Assigning Administrative Roles - Coggle Diagram
5. Assigning Administrative Roles
5.1 Configure Privilege Levels
5.1.1 Limiting Command Availabilty
Privilege level
Methods to help to determine who should be allowed to connect to the device and what that person should be able to do with it
Role-based CLI
Levels of access to commands
User EXEC mode (privilege level 1)
Lowest mode user privileges and allows only user-level commands available at the Router> prompt
Privileged EXEC mode (privilege level 15)
All enable-level commands at the Router# prompt
Level 0 predifined for user-level access privileges with commands like disable, enable, exit, help, and logout
Levels 2 - 14 may be customized for user-level privileges. Commands form lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level
To assign commands to a custom privilege level
Router(config)#
privilege
mode
{
level
level
|
reset
}
command
mode
Specifies the configuration mode
level
Enables seting a privilege level with a specified command (optional)
level
Specifies up to 16 privilege levels, using numbers 0 to 15
reset
Resets the privilege level of a command (optional)
command
Argument to use when you want to reset the privilege level (optional)
5.1.2 Configuring and Assigning Privilege Levels
To configure a privilege level with specific commands, use the
privilege exec level
level
[
command
]
Methods for assigning passwords to the different privilege levels
To a user that is granted a specific privilege level, use the
username
name
privilege
level
secret
password
global configuration mode command
To the privilege level, use the
enable secret level
level password
global configuration mode command
5.1.3 Limitations of Privilege Levels
There is no access control to specific interfaces, ports, logical interfaces, and slots on a router
Commands available at lower privilege levels are always executable at higher levels
Commands specifically set at a higher privilege level are not available for lower privileged users
Assigning a command with multiple keywords allows access to all commands that use those keywords
5.2 Configure Role-Based CLI
5.2.1 Role-Based CLI Access
this feature provides finer, more granular access by controlling which commands are available to specific roles
Enables the network administrator to create different views of router configurations for different users
Main characteristics
Security
Enhaces the security of the device by defining the set of CLI commands that are accesible by a specific user
Availabity
Prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime
Operational Efficiency
Users only see the CLI commands applicable to the ports and CLI to which they have access
5.2.2 Role-Based Views
Three types of views that dictate which commands are available
Root View
Has the same access privileges as a user who has level 15 privileges
Only a root view user can configure a new view and add or remove commands from the existing views
CLI View
A specific set of commands can be bundled into a CLI view
Has no command hierarchy and no higher or lower views
Each view must be assigned all commands associated with that view
A view does not inherit commands from any other view. Additionally, the same commands can be used in multiple views
Superview
Consist of one or more CLI views
Admiinistrators can define which commands are accepted and which configuration information is visible
Allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated with that one CLI view
Specific characteristics
A single CLI view can be shared within multiple superviews
Commands cannot be configured for a superview. An admin must add commands to the CLI view and add that CLI view to the superview
Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview
Each superview has a password that is used to switch between superviews or from a CLI view to a superview
Deleting a superview does not delete the associated CLI views. The CLI views remain available to be assigned to another superview
5.2.3 Configure Role-Based Views
Before an admin can create a view, AAA must be enable
Step 1
Enable AAA with the
aaa new-model
global configuration mode command. Exit and enter the root view with the
enable view
command
view
This parameter enters root view if no view-name is specified, which enables an admnistrator to configure CLI views. The view parameter is required to configure a CLI view
Router#
enable
[
view
[
view-name
]]
view-name
This parameter enters or exits a specified CLI view. This parameter can be used to switch from one CLI view to another CLI view (optional)
Step 2
create a view using the
parse view
view-name
global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total
Router(config)#
parse view
view-name
Step 3
Assign a secret password to the view using the
secret
password
view configuration mode command. This sets a password to protect access to the view. The password must be created immediatly after creating a view, otherwise, an error message will appear
Router(config-view)#
secret
password
Step 4
Assign commands to the selected view using the
commands
parser-mode
command in view configuration mode
Router(config-view)#
commands
parser-mode
{
include | include-exclusive | exclude
} [
all
] [
interface
interface-name
|
command
]
commands
Adds commands or interfaces to a view
parser-mode
The mode in which the specified command exists
include
Adds a command or an interface to the view and allows the same command or interface to be added to other views
include-exclusive
Adds a command or an interface to the view and excludes the same command or interface from being added to all other views
exclude
Excludes a command or an interface from the view
all
A "wildcard" that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view
interface
interface-name
Interface that is added to the view
command
Command that is added to the view
Step 5
Exit view configuration mode by typing the
exit
command
5.2.6 Configure Role-Based CLI Superviews
Step 1
Create a view using the
parser view
view-name
superview
command and enter superview configuration mode. Appending the keyword
superview
to parser view creates a superview and enters configuration mode
Router(config)#
parser view
view-name
superview
Step 2
Assign a secret password to the view using the
secret
password
command. This sets a password to protect access to the superview. The password must be created immediately after creating a view; otherwise an error message will appear
Router(config-view)#
secret
password
Step 3
Assign an existing view using the
view
view-mode
command in view configuration mode. This adds a CLI view to superview. Multiple views can be added. Views may be shared between superviews
Router(config-view)#
view
view-mode
Step 4
Exit superview configuration mode by typing the
exit
command
5.2.8 Verify Role-Based CLI Views
To verify a view, use the
enable view
command and the name of the view
Use the
show parser view all
command to see a summary of all views
