role based views

notgoing2fail · April 2010

Anyone play around with creating cli-views? I'm having a problem getting started.

I've tried both my router and switch and both lock me out when trying to enable views.

Both devices have "aaa new-model" enable. With local authentication.

"aaa authentication login default local"

I've created a user account with priv 15 like so:

username brandon privilege 15 secret cisco

When I to EXEC mode and type this:

"enable view"

I get prompted for a password, well, what other password can there possibly be? So I put in "cisco".

I then get this error:

% Authentication Failed

So I've checked out Cisco's doc and it seems a bit confusing, here's what they say:

[B] Prerequisites [/B]

  Before you create a view, you must perform the following tasks: 
  •[IMG]http://www.cisco.com/en/US/i/templates/blank.gif[/IMG]Enable AAA via the [B]aaa new-model [/B]command. 
  •[IMG]http://www.cisco.com/en/US/i/templates/blank.gif[/IMG]Ensure that your system is in root view—[COLOR=Red]not privilege level 15. [/COLOR]

So here's my DUH! question of the day, how do you get INTO ROOT VIEW in the first place? If privilege 15 isn't enough, then how do you do it? It seems like a catch 22?

Then Cisco's documentation says this for step #1:

enable view
Example:
Router> enable view

Enables root view.
•

Enter your privilege level 15 password (for example, root password) if prompted.

UMM WHAT??

Here's the link to the doc. Can anyone help me out here? Thanks!

Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0 - Role-Based CLI Access [Cisco IOS Software Releases 15.0] - Cisco Systems

peanutnoggin · April 2010

Try using your enable secret password to enable your superview. See if that works out for you...

DevilWAH · April 2010

yes you need enable view

and then enter you enable secret password.

for this you have to of course set an enable secret password on the device

after that you have to decided if you are creating the privilage views or named views.

notgoing2fail · April 2010

Thanks guys, creating the enable secret password worked.

I suppose I have gotten my own account password confused with the enable secret password......

It's the little things that get you, I was banging my head over this! Glad I asked for help....

peanutnoggin · April 2010

No worries man... that's why TE is here! I love it when I can help someone out because I know I can count on these forums to help me out as well...

geezer · May 2010

Sorry to HJ this thread but can anyone tell me what I may be doing wrong as head is sore?

I have enabled aaa new-model, created a view to allow exec sh interfaces and sh run commands. Then I created a local database entry to allow a user to login with those view credentials:

username hello view myview password there

which should allow a user of 'hello' with a password of 'there' to login and get the two show commands above for him/her. What is happening though is after login I am getting user mode prompt ( > ) instead of exec mode?!

Any pointers?

Cheers

notgoing2fail · May 2010

geezer wrote: »

Sorry to HJ this thread but can anyone tell me what I may be doing wrong as head is sore?

I have enabled aaa new-model, created a view to allow exec sh interfaces and sh run commands. Then I created a local database entry to allow a user to login with those view credentials:

username hello view myview password there

which should allow a user of 'hello' with a password of 'there' to login and get the two show commands above for him/her. What is happening though is after login I am getting user mode prompt ( > ) instead of exec mode?!

Any pointers?

Cheers

When you create the user, try setting the privilege level as well...

username hello privilege {priv. level} view myview password there

geezer · May 2010

Hi

Tried that already but still don't get priv. mode.

Also how would you remove a view. Information scare on this subject of username view privs and removing in my searches.

Thanks

notgoing2fail · May 2010

geezer wrote: »

Hi

Tried that already but still don't get priv. mode.

Also how would you remove a view. Information scare on this subject of username view privs and removing in my searches.

Thanks

Can you provide your config? You don't have to show your entire output, just the relevant info...

geezer · May 2010

enable secret 5 $1$VRlp$KekElh24pIEszqXmws5XS/
!
aaa new-model
!
aaa authentication login default local
aaa authentication enable default enable
!
aaa session-id common
memory-size iomem 5
ip cef
!
multilink bundle-name authenticated
!
username hello privilege 15 view helpdesk password 0 there
username ops view ops password 0 ops
archive
 log config
  hidekeys
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
control-plane

!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 3
line vty 4
parser view helpdesk
 secret 5 $1$BJvE$TDcfqXSKFRwLh2S4FNjQB1
 commands exec include show interfaces
 commands exec include show running-config
 commands exec include show
!
parser view ops
 secret 5 $1$W/t2$1yrf7qDAbGfQYHCmwPFg..
 commands configure include line
!
!
!
end

geezer · May 2010

Still no joy. Am using GNS3 on 3725 router and can successfully login with view by typing:

enable view myview

without a problem, it's just I get the usermode prompt (>) still...

notgoing2fail · May 2010

geezer wrote: »

Still no joy. Am using GNS3 on 3725 router and can successfully login with view by typing:

enable view myview

without a problem, it's just I get the usermode prompt (>) still...

Yeah, I think I ran into this issue too before, let me see if I can remember the exact config to fix your issue....

geezer · May 2010

Cheers.

I have watched CBT nuggets IINS and did what he did but doesn't work for me when trying to apply role privs to a username/password combo

notgoing2fail · May 2010

geezer wrote: »

Cheers.

I have watched CBT nuggets IINS and did what he did but doesn't work for me when trying to apply role privs to a username/password combo

I assume you are trying to login via telnet or SSH? Or is this console only for user "hello".

If it's telnet, you can add this:

line vty 0 4
privilege level 15

Then when the user logs in, they will be in "#" mode....

I'm not sure if that's the results you're looking for though....

geezer · May 2010

Made a breakthrough courtesy of THIS link

I am accessing via console so needed to:

aaa authorization console
aaa authorization exec test local
authorization exec test      ## under line con 0

Same goes for vty lines:

line vty 0 4
authorization exec test

No mention of this is in my studies thus far.

Thanks for the help anyhow.

notgoing2fail · May 2010

Fantastic glad you figured it out. I will jot this down in my notes!

geezer · May 2010

Certainly had my sore head getting sorer!!!

Please note my 'learning experience' in that I missed the 'local' db parameter above specifying local database method.

aaa authorization ... overrides the privilege level 15 on the lines but if it is just priv lvl 15 then you get full priv access rather than controlled role-based access FYI

Cheers

notgoing2fail · May 2010

geezer wrote: »

Certainly had my sore head getting sorer!!!

Please note my 'learning experience' in that I missed the 'local' db parameter above specifying local database method.

aaa authorization ... overrides the privilege level 15 on the lines but if it is just priv lvl 15 then you get full priv access rather than controlled role-based access FYI

Cheers

Good stuff...when you figure it out, it's better, you end up remembering it better!!!

role based views

Comments