Friday, September 9, 2011
Role Based CLI (Configuring AAA Part 3)
Views are defined user roles in Cisco IOS. I can allow commands within views and assign those views to users, or I can switch between views by using the enable view <ViewName> command. To use views I must first enable the aaa new-model
R2#enable view
% AAA must be configured.
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#aaa new-model
R2(config)#end
Now that aaa has been enabled, I can enter the root view and begin to configure other views. I want to create two views and assign those views to two different users. The first view I'll call HELPDESK, the second view I'll call TECHNICIAN. For the view HELPDESK, I'll allow <show version> and <show ip interface>. For the view TECHNICIAN, I'll allow <show ip route> and <show running-config>. I'll assign the view HELPDESK to user joe, and the view TECHNICIAN to user katie.
When entering the view root, I am prompted for the enable password
R2#enable view root
Please enter your password:
R2#
Sep 7 22:51:47.297: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R2#sh privilege
Currently in View Context with view 'root'
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#parser view HELPDESK
R2(config-view)#
Sep 7 23:16:40.889: %PARSER-6-VIEW_CREATED: view 'HELPDESK' successfully created.
Initailly, I am unable to configure commands. Configuring a secret is mandatory prior to allowing any commands.
R2(config-view)#commands exec include show version
% Password not set for the view HELPDESK
R2(config-view)#secret cisco1
R2(config-view)#commands exec include show version
R2(config-view)#
I can include, include exclusively, or exclude commands
R2(config-view)#commands exec ?
exclude Exclude the command from the view
include Add command to the view
include-exclusive Include in this view but exclude from others
R2(config-view)#commands exec include show ip interface
R2(config-view)#parser view TECHNICIAN
R2(config-view)#
Sep 7 23:26:10.173: %PARSER-6-VIEW_CREATED: view 'TECHNICIAN' successfully created.
R2(config-view)#secret cisco2
R2(config-view)#commands exec include show ip route
R2(config-view)#commands exec include show running-config
R2(config-view)#exit
R2(config)#
Before I assign the views to users, I want to test the views by enabling them directly and checking the authorized commands. I'll start with the HELPDESK view.
R2#enable view HELPDESK
Please enter your password:
R2#
Sep 8 06:02:17.324: %PARSER-6-VIEW_SWITCH: successfully set to view 'HELPDESK'.
R2#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R2#show ?
flash: display information about flash: file system
ip IP information
parser Show parser commands
R2#show ip ?
interface IP interface status and configuration
R2#show ip interface
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.4.4/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
I'll check the TECHNICIAN view next.
R2#enable view TECHNICIAN
Please enter your password:
R2#
Sep 8 06:04:56.457: %PARSER-6-VIEW_SWITCH: successfully set to view 'TECHNICIAN'.
R2#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R2#show ?
flash: display information about flash: file system
ip IP information
parser Show parser commands
running-config Current operating configuration
R2#show ip ?
route IP routing table
R2#show ip route ?
Hostname or A.B.C.D Network to display information about or hostname
bgp Border Gateway Protocol (BGP)
connected Connected
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
| Output modifiers
<cr>
R2#
This behaves as expected. Now I'll assign the views directly to each user and test their access by accessing the router via telnet from another device. Since I'll be using telnet, I'll also have to authorize the vty lines in order to apply the role based policies.
R2#enable
Please enter your password:
R2#show privilege
Current privilege level is 15
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#username joe view HELPDESK password cisco1
R2(config)#username katie view TECHNICIAN password cisco2
R2(config)#aaa authorization exec default local
R2(config)#line vty 0 4
R2(config-line)#authorization exec default
R2(config-line)#end
R2#
Sep 8 06:08:56.955: %SYS-5-CONFIG_I: Configured from console by console
R2#
Now from R1, I'll connect to R2 with the user joe and check to see which commands are available
R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open
User Access Verification
Please enter your user name:joe
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>?
Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R2>show parser view
Current view is 'HELPDESK'
R2>show ?
flash: display information about flash: file system
ip IP information
parser Show parser commands
R2>show ip ?
interface IP interface status and configuration
R2>
The user joe behaves as expected. Now to test the user katie.
R2>exit
[Connection to 10.1.12.2 closed by foreign host]
R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open
User Access Verification
Please enter your user name:katie
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>?
Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R2>show ?
flash: display information about flash: file system
ip IP information
parser Show parser commands
running-config Current operating configuration
R2>show ip ?
route IP routing table
R2>
The user katie also behaves as expected.
But now, I want to combine both views by creating a new view called COMBINED. I'll assign this superview to a user named joshua.
R2(config)#parser view COMBINED superview
R2(config-view)#
Sep 8 06:41:09.951: %PARSER-6-SUPER_VIEW_CREATED: super view 'COMBINED' successfully created.
R2(config-view)#secret cisco3
R2(config-view)#view HELPDESK
Sep 8 06:42:43.826: %PARSER-6-SUPER_VIEW_EDIT_ADD: view HELPDESK added to superview COMBINED.
R2(config-view)#view TECHNICIAN
Sep 8 06:42:45.926: %PARSER-6-SUPER_VIEW_EDIT_ADD: view TECHNICIAN added to superview COMBINED.
R2(config-view)#exit
R2(config)#username joshua view COMBINED password cisco3
R2(config)#end
R2#
Now I'll telnet from R1 to check if both command sets appear to be available.
R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open
User Access Verification
Please enter your user name:joshua
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>?
Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R2>show ?
flash: display information about flash: file system
ip IP information
parser Show parser commands
running-config Current operating configuration
R2>show ip ?
interface IP interface status and configuration
route IP routing table
R2>show ip
This behaves as expected.
***************
As a side note; something I noticed was that I had to invoke configuration mode AFTER I had enabled the root view in order to use the parser view command. While at privilege level 15 access in global configuration mode, I tried to run the command <do enable view> and although it appeared to authenticate me and move me to the root view, it did not allow me to run the parser view commands:
R2#show privilege
Current privilege level is 15
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#do enable view
Please enter your password:
R2(config)#
Sep 7 22:44:18.902: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R2(config)#parser view VIEW1
No view Active! Switch to View Context
R2(config)#
R2(config)#do show privilege
Currently in View Context with view 'root'
R2(config)#
R2(config)#end
R2#show
Sep 7 22:46:03.057: %SYS-5-CONFIG_I: Configured from console by console
R2#show privilege
Current privilege level is 15
R2#
Again, although I appeared to be authenticated to the root view, when I exit from global configuration mode, I appear to be returned to the privilege level I was at going in.
This tells me that I need to enable view [root] prior to entering global configuration if I'd like to use the parser view commands.
<-- AAA Part 1 <-- AAA Part 2
Labels:
Security
Subscribe to:
Post Comments (Atom)
I want to share my physical devices with friends remotely, how to secure IOS & other files on router / switch. I tried a lot with rbac with exclude delete command but seems not working, could you please help ?
ReplyDelete
ReplyDeleteРowerful information, thank you for sharing!
Richard Brown virtual data room pricing
Router Configuration may be delivered by the different technologies depending on the situation. For example, Router Configuration can be addressed using configuration, wireless setup, hardware installation. This customer services for the worldwide user delivered by www.bestbuysystems.us/routers.
ReplyDeleteGreat Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai