Please enable JavaScript.
Coggle requires JavaScript to display documents.
:star: Assigning Administrative Roles :star:, image, image, image, image,…
:star:
Assigning Administrative Roles
:star:
:<3:
Configure Privilege Levels
:check:
Configuring and Assigning Privilege Levels
:checkered_flag: To configure a privilege level with specific commands, use the privilege exec level level [command]. The example shows examples for three different privilege levels
-Privilege level 5 has access to all the commands available for the predefined level 1 and the ping command.
-Privilege level 10 has access to all the commands available for level 5 as well as the reload command.
-Privilege level 15 is predefined and does not need to be explicitly configured. This privilege level has access to all commands including viewing and changing the configuration.
:check: There are two methods for assigning passwords to the different privilege levels:
To a user that is granted a specific privilege level, use the username name privilege level secret password global configuration mode command
To the privilege level, use the enable secret level level password global configuration mode command.
:check: In the example below, the user enables privilege level 10 which has access to the reload command. However, users at privilege level 10 cannot view the running configuration.
:check: In the next example, the user enables privilege level 15 which has full access to view and change the configuration, including viewing the running configuration.
:check:
Limitations of Privilege Levels
:pen: Using privilege levels has its limitations:
-There is no access control to specific interfaces, ports, logical interfaces, and slots on a router.
-Commands available at lower privilege levels are always executable at higher levels.
-Commands specifically set at a higher privilege level are not available for lower privileged users.
-Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to show ip route allows the user access to all show and show ip commands.
:check:
Limiting Command Availability
:pen: Cisco IOS software has two methods of providing infrastructure access: privilege level and role-based CLI. Both methods help determine who should be allowed to connect to the device and what that person should be able to do with it. Role-based CLI access provides more granularity and control.
:pen:By default, the Cisco IOS software CLI has two levels of access to commands:
User EXEC mode (privilege level 1) - This provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.
Privileged EXEC mode (privilege level 15) - This includes all enable-level commands at the Router# prompt.
There are 16 privilege levels in total, as listed below. The higher the privilege level, the more router access a user has. Commands that are available at lower privilege levels are also executable at higher levels.
:check: To assign commands to a custom privilege level, use the privilege global configuration mode command shown below.
Router(config)# privilege mode {level level|reset} command
Level 0: Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
Level 1: The default level for login with the router prompt Router >. A user cannot make any changes or view the running configuration file.
Levels 2 -14: May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.
Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.
:star:
Configure Role-Based CLI
:check:
Configure Role-Based CLI Superviews
:pen: The steps to configure a superview are essentially the same as configuring a CLI view, except that the view view-name command is used to assign commands to the superview. The administrator must be in root view to configure a superview. To confirm that root view is being used, use either the enable view or enable view root command. When prompted, enter the secret password.
Step 2: Assign a secret password to the view using the secret password command. This sets a password to protect access to the superview. The password must be created immediately after creating a view; otherwise an error message will appear.
Router(config-view)# secret password
Step 3: Assign an existing view using the view view-name command in view configuration mode. This adds a CLI view to superview. Multiple views can be added. Views may be shared between superviews.
Router(config-view)# view view-name
Step 1: Create a view using the parser view view-name superview command and enter superview configuration mode. Appending the keyword superview to parser view creates a superview and enters configuration mode.
Router(config)# parser view view-name superview
Step 4: Exit superview configuration mode by typing the exit command.
:check:
Configure Role-Based Views
:check: Step 3. Assign a secret password to the view using the secret password view configuration mode command.
This sets a password to protect access to the view. The password must be created immediately after creating a view, otherwise, an error message will appear.
:check: Step 4. Assign commands to the selected view using the commands parser-mode command in view configuration mode.
:check: Step 2. Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.
:check: Step 5. Exit view configuration mode by typing the exit command.
The example below shows the configuration of three views. Notice in the example, that the secret command only supports MD5 encryption (type 5). Also, notice that when a command was added to a view before the password was assigned, an error occurred.
:check: Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.
:check:
Role-Based Views
:checkered_flag: CLI View
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and no higher or lower views. Each view must be assigned all commands associated with that view. A view does not inherit commands from any other view. Additionally, the same commands can be used in multiple views.
:checkered_flag: Superview
A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated with that one CLI view.
:checkered_flag: Root View
To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views.
:check:
Verify Role-Based CLI Views
:pen:To verify a view, use the enable view command. Enter the name of the view to verify, and provide the password to log into the view. Use the question mark (?) command to verify that the commands available in the view are correct.
The example enables the USER superview and lists the commands available in the view.
This example enables the JR-ADMIN view and lists the commands available in the view.
By not specifying a view for the enable view command, as shown here, you can log in as root. From the root view, use the show parser view all command to see a summary of all views. Notice how the asterisk identifies superviews.
The example below enables the SUPPORT superview and lists the commands available in the view
:check:
Role-Based CLI Access
:pen: In an effort to provide more flexibility than privilege levels allow, Cisco introduced the role-based CLI access feature in Cisco IOS Release 12.3(11)T. This feature provides finer, more granular access by controlling which commands are available to specific roles. Role-based CLI access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access.
:warning: Availability
Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
:warning: Operational Efficiency
Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.
:warning: Security
Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.
