Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 5: Assigning Administrative Roles, Role-Based CLI Access, image,…
Module 5: Assigning Administrative Roles
Configure Role-Based CLI
CLI access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access.
Availability
Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
Operational Efficiency
Users only see the CLI commands applicable to the ports and CLI to which they have access. The router appears to be less complex, and commands are easier to identify
Security
Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user
administrators can control user access to specific ports, logical interfaces, and slots on a router.
Role-based CLI provides three types of views that dictate which commands are available:
Configure Role-Based Views
Before an administrator can create a view, AAA must be enabled using the aaa new-model command.
To configure and edit views, an administrator must log in as the root view using the enable view privileged EXEC command.
Cuando se le solicite, ingrese la contraseña secreta de habilitación.
There are five steps to create and manage a specific view.
Step 1.
Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.
Step 2.
Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.
Step 3.
Assign a secret password to the view using the secret password view configuration mode command.
Step 4
. Assign commands to the selected view using the commands parser-mode command in view configuration mode.
Step 5
. Exit view configuration mode by typing the exit command.
CLI View
A specific set of commands can be bundled into a CLI view.
Each view must be assigned all commands associated with that view.
A view does not inherit commands from any other view. Additionally, the same commands can be used in multiple views.
Superview
A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible.
Root View
To configure any view, the administrator must be in root view.
Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views.
Configure Role-Based CLI Superviews
The steps to configure a superview are essentially the same as configuring a CLI view, except that the view view-name command is used to assign commands to the superview.
The administrator must be in root view to configure a superview. To confirm that root view is being used, use either the enable view or enable view root command. When prompted, enter the secret password.
Step 1
Step 2
Step 3
Step 4
: Exit superview configuration mode by typing the exit command.
Verify Role-Based CLI Views
To verify a view, use the enable view command. Enter the name of the view to verify, and provide the password to log into the view. Use the question mark (?) command to verify that the commands available in the view are correct.
Configure Privilege Lvels
Configuring and Assigning Privilege Levels
To configure a privilege level with specific commands, use the privilege exec level level [command]. The example shows examples for three different privilege levels.
Privilege level 5 has access to all the commands available for the predefined level 1 and the ping command.
Privilege level 10 has access to all the commands available for level 5 as well as the reload command.
Privilege level 15 is predefined and does not need to be explicitly configured. This privilege level has access to all commands including viewing and changing the configuration.
There are two methods for assigning passwords to the different privilege levels:
To a user that is granted a specific privilege level, use the username name privilege level secret password global configuration mode command
To the privilege level, use the enable secret level level password global configuration mode command
Limitations of Privilege Levels
The use of privilege levels has its limitations:
There is no access control to specific interfaces, ports, logical interfaces, and slots on a router.
Commands available at lower privilege levels are always executable at higher levels.
Commands specifically set at a higher privilege level are not available for lower privileged users.
Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to show ip route allows the user access to all show and show ip commands.
Limiting Command Availability
Large organizations have many varied job functions within an IT department. Not all job functions should have the same level of access to the infrastructure devices. Cisco IOS software has two methods of providing infrastructure access: privilege level and role-based CLI. Both methods help determine who should be allowed to connect to the device and what that person should be able to do with it. Role-based CLI access provides more granularity and control.
By default, the Cisco IOS software CLI has two levels of access to commands:
User EXEC mode (privilege level 1)
This provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.
Privileged EXEC mode (privilege level 15)
This includes all enable-level commands at the Router# prompt.
Level 1:
The default level for login with the router prompt Router >. A user cannot make any changes or view the running configuration file.
Levels 2 -14:
May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.
Level 0:
Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
Level 15:
Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.
Role-Based CLI Access
There are four steps to create and manage a superview.