role based views

notgoing2failnotgoing2fail Member Posts: 1,138
Anyone play around with creating cli-views? I'm having a problem getting started.

I've tried both my router and switch and both lock me out when trying to enable views.

Both devices have "aaa new-model" enable. With local authentication.

"aaa authentication login default local"

I've created a user account with priv 15 like so:

username brandon privilege 15 secret cisco


When I to EXEC mode and type this:

"enable view"

I get prompted for a password, well, what other password can there possibly be? So I put in "cisco".

I then get this error:

% Authentication Failed

So I've checked out Cisco's doc and it seems a bit confusing, here's what they say:
[B] Prerequisites [/B]

  Before you create a view, you must perform the following tasks: 
  •[IMG]http://www.cisco.com/en/US/i/templates/blank.gif[/IMG]Enable AAA via the [B]aaa new-model [/B]command. 
  •[IMG]http://www.cisco.com/en/US/i/templates/blank.gif[/IMG]Ensure that your system is in root view—[COLOR=Red]not privilege level 15. [/COLOR]



So here's my DUH! question of the day, how do you get INTO ROOT VIEW in the first place? If privilege 15 isn't enough, then how do you do it? It seems like a catch 22?


Then Cisco's documentation says this for step #1:

enable view
Example:
Router> enable view



Enables root view.
blank.gifEnter your privilege level 15 password (for example, root password) if prompted.





UMM WHAT??


Here's the link to the doc. Can anyone help me out here? Thanks!


Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0 - Role-Based CLI Access [Cisco IOS Software Releases 15.0] - Cisco Systems

Comments

  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    Try using your enable secret password to enable your superview. See if that works out for you...
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    yes you need enable view

    and then enter you enable secret password.

    for this you have to of course set an enable secret password on the device ;)

    after that you have to decided if you are creating the privilage views or named views.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Thanks guys, creating the enable secret password worked.

    I suppose I have gotten my own account password confused with the enable secret password......

    It's the little things that get you, I was banging my head over this! Glad I asked for help....

  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    No worries man... that's why TE is here! I love it when I can help someone out because I know I can count on these forums to help me out as well...
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • geezergeezer Member Posts: 136
    Sorry to HJ this thread but can anyone tell me what I may be doing wrong as head is sore?

    I have enabled aaa new-model, created a view to allow exec sh interfaces and sh run commands. Then I created a local database entry to allow a user to login with those view credentials:

    username hello view myview password there

    which should allow a user of 'hello' with a password of 'there' to login and get the two show commands above for him/her. What is happening though is after login I am getting user mode prompt ( > ) instead of exec mode?!

    Any pointers?

    Cheers
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
  • notgoing2failnotgoing2fail Member Posts: 1,138
    geezer wrote: »
    Sorry to HJ this thread but can anyone tell me what I may be doing wrong as head is sore?

    I have enabled aaa new-model, created a view to allow exec sh interfaces and sh run commands. Then I created a local database entry to allow a user to login with those view credentials:

    username hello view myview password there

    which should allow a user of 'hello' with a password of 'there' to login and get the two show commands above for him/her. What is happening though is after login I am getting user mode prompt ( > ) instead of exec mode?!

    Any pointers?

    Cheers

    When you create the user, try setting the privilege level as well...


    username hello privilege {priv. level} view myview password there

  • geezergeezer Member Posts: 136
    Hi

    Tried that already but still don't get priv. mode. icon_sad.gif

    Also how would you remove a view. Information scare on this subject of username view privs and removing in my searches.

    Thanks
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
  • notgoing2failnotgoing2fail Member Posts: 1,138
    geezer wrote: »
    Hi

    Tried that already but still don't get priv. mode. icon_sad.gif

    Also how would you remove a view. Information scare on this subject of username view privs and removing in my searches.

    Thanks

    Can you provide your config? You don't have to show your entire output, just the relevant info...

  • geezergeezer Member Posts: 136
    enable secret 5 $1$VRlp$KekElh24pIEszqXmws5XS/
    !
    aaa new-model
    !
    aaa authentication login default local
    aaa authentication enable default enable
    !
    aaa session-id common
    memory-size iomem 5
    ip cef
    !
    multilink bundle-name authenticated
    !
    username hello privilege 15 view helpdesk password 0 there
    username ops view ops password 0 ops
    archive
     log config
      hidekeys
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    !
    ip http server
    no ip http secure-server
    !
    control-plane
    
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
    line aux 0
    line vty 0 3
    line vty 4
    parser view helpdesk
     secret 5 $1$BJvE$TDcfqXSKFRwLh2S4FNjQB1
     commands exec include show interfaces
     commands exec include show running-config
     commands exec include show
    !
    parser view ops
     secret 5 $1$W/t2$1yrf7qDAbGfQYHCmwPFg..
     commands configure include line
    !
    !
    !
    end
    
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
  • geezergeezer Member Posts: 136
    Still no joy. Am using GNS3 on 3725 router and can successfully login with view by typing:

    enable view myview

    without a problem, it's just I get the usermode prompt (>) still...
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
  • notgoing2failnotgoing2fail Member Posts: 1,138
    geezer wrote: »
    Still no joy. Am using GNS3 on 3725 router and can successfully login with view by typing:

    enable view myview

    without a problem, it's just I get the usermode prompt (>) still...


    Yeah, I think I ran into this issue too before, let me see if I can remember the exact config to fix your issue....

  • geezergeezer Member Posts: 136
    Cheers.

    I have watched CBT nuggets IINS and did what he did but doesn't work for me when trying to apply role privs to a username/password combo
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
  • notgoing2failnotgoing2fail Member Posts: 1,138
    geezer wrote: »
    Cheers.

    I have watched CBT nuggets IINS and did what he did but doesn't work for me when trying to apply role privs to a username/password combo


    I assume you are trying to login via telnet or SSH? Or is this console only for user "hello".

    If it's telnet, you can add this:

    line vty 0 4
    privilege level 15

    Then when the user logs in, they will be in "#" mode....

    I'm not sure if that's the results you're looking for though....

  • geezergeezer Member Posts: 136
    Made a breakthrough courtesy of THIS link

    I am accessing via console so needed to:
    aaa authorization console
    aaa authorization exec test local
    authorization exec test      ## under line con 0
    

    Same goes for vty lines:
    line vty 0 4
    authorization exec test
    

    No mention of this is in my studies thus far.

    Thanks for the help anyhow. :)
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Fantastic glad you figured it out. I will jot this down in my notes!

  • geezergeezer Member Posts: 136
    :) Certainly had my sore head getting sorer!!!

    Please note my 'learning experience' in that I missed the 'local' db parameter above specifying local database method.

    aaa authorization ... overrides the privilege level 15 on the lines but if it is just priv lvl 15 then you get full priv access rather than controlled role-based access FYI

    Cheers
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
  • notgoing2failnotgoing2fail Member Posts: 1,138
    geezer wrote: »
    :) Certainly had my sore head getting sorer!!!

    Please note my 'learning experience' in that I missed the 'local' db parameter above specifying local database method.

    aaa authorization ... overrides the privilege level 15 on the lines but if it is just priv lvl 15 then you get full priv access rather than controlled role-based access FYI

    Cheers


    Good stuff...when you figure it out, it's better, you end up remembering it better!!!

Sign In or Register to comment.