Friday, September 9, 2011

Role Based CLI (Configuring AAA Part 3)


Views are defined user roles in Cisco IOS. I can allow commands within views and assign those views to users, or I can switch between views by using the enable view <ViewName> command. To use views I must first enable the aaa new-model

R2#enable view
% AAA must be configured.


R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#aaa new-model
R2(config)#end

Now that aaa has been enabled, I can enter the root view and begin to configure other views. I want to create two views and assign those views to two different users. The first view I'll call HELPDESK, the second view I'll call TECHNICIAN. For the view HELPDESK, I'll allow <show version> and <show ip interface>. For the view TECHNICIAN, I'll allow <show ip route> and <show running-config>. I'll assign the view HELPDESK to user joe, and the view TECHNICIAN to user katie.

When entering the view root, I am prompted for the enable password

R2#enable view root
Please enter your password: 


R2#
Sep  7 22:51:47.297: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R2#sh privilege
Currently in View Context with view 'root'
R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#parser view HELPDESK
R2(config-view)#
Sep  7 23:16:40.889: %PARSER-6-VIEW_CREATED: view 'HELPDESK' successfully created.

Initailly, I am unable to configure commands. Configuring a secret is mandatory prior to allowing any commands.

R2(config-view)#commands exec include show version
% Password not set for the view HELPDESK
R2(config-view)#secret cisco1
R2(config-view)#commands exec include show version
R2(config-view)#

I can include, include exclusively, or exclude commands

R2(config-view)#commands exec ?
  exclude            Exclude the command from the view
  include            Add command to the view
  include-exclusive  Include in this view but exclude from others


R2(config-view)#commands exec include show ip interface
R2(config-view)#parser view TECHNICIAN   
R2(config-view)#
Sep  7 23:26:10.173: %PARSER-6-VIEW_CREATED: view 'TECHNICIAN' successfully created.
R2(config-view)#secret cisco2
R2(config-view)#commands exec include show ip route
R2(config-view)#commands exec include show running-config
R2(config-view)#exit
R2(config)#

Before I assign the views to users, I want to test the views by enabling them directly and checking the authorized commands. I'll start with the HELPDESK view.

R2#enable view HELPDESK
Please enter your password:


R2#
Sep  8 06:02:17.324: %PARSER-6-VIEW_SWITCH: successfully set to view 'HELPDESK'.
R2#?
Exec commands:
  enable  Turn on privileged commands
  exit    Exit from the EXEC
  show    Show running system information


R2#show ?
  flash:  display information about flash: file system
  ip      IP information
  parser  Show parser commands


R2#show ip ?
  interface  IP interface status and configuration


R2#show ip interface
FastEthernet0/0 is up, line protocol is up
  Internet address is 10.1.4.4/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.9
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
       
I'll check the TECHNICIAN view next.

R2#enable view TECHNICIAN
Please enter your password:


R2#
Sep  8 06:04:56.457: %PARSER-6-VIEW_SWITCH: successfully set to view 'TECHNICIAN'.
R2#?
Exec commands:
  enable  Turn on privileged commands
  exit    Exit from the EXEC
  show    Show running system information


R2#show ?
  flash:          display information about flash: file system
  ip              IP information
  parser          Show parser commands
  running-config  Current operating configuration


R2#show ip ?
  route  IP routing table


R2#show ip route ?
  Hostname or A.B.C.D  Network to display information about or hostname
  bgp                  Border Gateway Protocol (BGP)
  connected            Connected
  eigrp                Enhanced Interior Gateway Routing Protocol (EIGRP)
  isis                 ISO IS-IS
  mobile               Mobile routes
  odr                  On Demand stub Routes
  ospf                 Open Shortest Path First (OSPF)
  rip                  Routing Information Protocol (RIP)
  static               Static routes
  |                    Output modifiers
  <cr>


R2#

This behaves as expected. Now I'll assign the views directly to each user and test their access by accessing the router via telnet from another device. Since I'll be using telnet, I'll also have to authorize the vty lines in order to apply the role based policies.

R2#enable
Please enter your password:
R2#show privilege
Current privilege level is 15
R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#username joe view HELPDESK password cisco1
R2(config)#username katie view TECHNICIAN password cisco2
R2(config)#aaa authorization exec default local 
R2(config)#line vty 0 4
R2(config-line)#authorization exec default 
R2(config-line)#end
R2#
Sep  8 06:08:56.955: %SYS-5-CONFIG_I: Configured from console by console
R2#

Now from R1, I'll connect to R2 with the user joe and check to see which commands are available

R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open




User Access Verification


Please enter your user name:joe
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>?
Exec commands:
  <1-99>  Session number to resume
  enable  Turn on privileged commands
  exit    Exit from the EXEC
  show    Show running system information


R2>show parser view
Current view is 'HELPDESK'
R2>show ?
  flash:  display information about flash: file system
  ip      IP information
  parser  Show parser commands


R2>show ip ?
  interface  IP interface status and configuration


R2>    

The user joe behaves as expected. Now to test the user katie.

R2>exit         


[Connection to 10.1.12.2 closed by foreign host]
R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open




User Access Verification


Please enter your user name:katie
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>?
Exec commands:
  <1-99>  Session number to resume
  enable  Turn on privileged commands
  exit    Exit from the EXEC
  show    Show running system information


R2>show ?
  flash:          display information about flash: file system
  ip              IP information
  parser          Show parser commands
  running-config  Current operating configuration


R2>show ip ?
  route  IP routing table


R2>

The user katie also behaves as expected.

But now, I want to combine both views by creating a new view called COMBINED. I'll assign this superview to a user named joshua.

R2(config)#parser view COMBINED superview
R2(config-view)#
Sep  8 06:41:09.951: %PARSER-6-SUPER_VIEW_CREATED: super view 'COMBINED' successfully created.
R2(config-view)#secret cisco3
R2(config-view)#view HELPDESK 
Sep  8 06:42:43.826: %PARSER-6-SUPER_VIEW_EDIT_ADD: view HELPDESK added to superview COMBINED.
R2(config-view)#view TECHNICIAN
Sep  8 06:42:45.926: %PARSER-6-SUPER_VIEW_EDIT_ADD: view TECHNICIAN added to superview COMBINED.
R2(config-view)#exit
R2(config)#username joshua view COMBINED password cisco3
R2(config)#end
R2#

Now I'll telnet from R1 to check if both command sets appear to be available.

R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open




User Access Verification


Please enter your user name:joshua
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>?
Exec commands:
  <1-99>  Session number to resume
  enable  Turn on privileged commands
  exit    Exit from the EXEC
  show    Show running system information


R2>show ?
  flash:          display information about flash: file system
  ip              IP information
  parser          Show parser commands
  running-config  Current operating configuration


R2>show ip ?
  interface  IP interface status and configuration
  route      IP routing table


R2>show ip 

This behaves as expected.


***************


As a side note; something I noticed was that I had to invoke configuration mode AFTER I had enabled the root view in order to use the parser view command. While at privilege level 15 access in global configuration mode, I tried to run the command <do enable view> and although it appeared to authenticate me and move me to the root view, it did not allow me to run the parser view commands:

R2#show privilege 
Current privilege level is 15
R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#do enable view
Please enter your password:


R2(config)#
Sep  7 22:44:18.902: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R2(config)#parser view VIEW1
No view Active! Switch to View Context
R2(config)#
R2(config)#do show privilege
Currently in View Context with view 'root'
R2(config)#
R2(config)#end
R2#show 
Sep  7 22:46:03.057: %SYS-5-CONFIG_I: Configured from console by console
R2#show privilege
Current privilege level is 15
R2#

Again, although I appeared to be authenticated to the root view, when I exit from global configuration mode, I appear to be returned to the privilege level I was at going in.

This tells me that I need to enable view [root] prior to entering global configuration if I'd like to use the parser view commands.

<-- AAA Part 1      <-- AAA Part 2

2 comments:

  1. I want to share my physical devices with friends remotely, how to secure IOS & other files on router / switch. I tried a lot with rbac with exclude delete command but seems not working, could you please help ?

    ReplyDelete

  2. Рowerful information, thank you for sharing!
    Richard Brown virtual data room pricing

    ReplyDelete