Parser View
waymorr
Member Posts: 29 ■□□□□□□□□□
Ok I'm going to have to bite the bullett and ask for help.
I have setup my parser view helpdesk and created the username help and assigned this helpdesk view but whenever I login with my new view I get logged on as follows:
R1>?
Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information
My selected commads are there but when I enable to the exec mode my view is switched back to normal view. I can switch back to the helpdesk view by the enable view command but this defeats the whole object of setting up the parser view profile.
I am using GNS3 with 2691 platform, I have posted my config I'm sure it's something simple but for the life of me I just can't see where I am going wrong.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Xv1z$Ez/WLZVzYUTBeXdd7LOr2/
enable password 7 0822404F1A0A
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
no ip domain lookup
ip domain name home
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$7QKI$yoFjXy1mBEXIKZfyUPsKJ/
username help privilege 15 view helpdesk secret 5 $1$tOZ/$6NW/TRQnYOpzDx.Y.j8Cl/
archive
log config
hidekeys
!
!
!
interface FastEthernet0/0
ip address 192.168.0.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
!
parser view helpdesk
secret 5 $1$VmUc$KMMzWibcdu/AjBhuhwoa6.
commands exec include ping
commands exec include all show
!
!
!
end
I have setup my parser view helpdesk and created the username help and assigned this helpdesk view but whenever I login with my new view I get logged on as follows:
R1>?
Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information
My selected commads are there but when I enable to the exec mode my view is switched back to normal view. I can switch back to the helpdesk view by the enable view command but this defeats the whole object of setting up the parser view profile.
I am using GNS3 with 2691 platform, I have posted my config I'm sure it's something simple but for the life of me I just can't see where I am going wrong.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Xv1z$Ez/WLZVzYUTBeXdd7LOr2/
enable password 7 0822404F1A0A
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
no ip domain lookup
ip domain name home
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$7QKI$yoFjXy1mBEXIKZfyUPsKJ/
username help privilege 15 view helpdesk secret 5 $1$tOZ/$6NW/TRQnYOpzDx.Y.j8Cl/
archive
log config
hidekeys
!
!
!
interface FastEthernet0/0
ip address 192.168.0.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
!
parser view helpdesk
secret 5 $1$VmUc$KMMzWibcdu/AjBhuhwoa6.
commands exec include ping
commands exec include all show
!
!
!
end
Comments
-
logicmyfoot
Member Posts: 82 ■■□□□□□□□□
you need to define aaa authorization for exec and apply to console and vty.
aaa authorization exec test local
line vty 0 4
authorization exec test -
wheez
Member Posts: 74 ■■□□□□□□□□
username help privilege 15 view helpdesk secret 5 $1$tOZ/$6NW/TRQnYOpzDx.Y.j8Cl/
Not sure, but could you try removing the privilege 15 part here, and see what that does?WIP: Considering cert path.. :-) -
waymorr
Member Posts: 29 ■□□□□□□□□□
logicmyfoot wrote: »you need to define aaa authorization for exec and apply to console and vty.
aaa authorization exec test local
line vty 0 4
authorization exec test
Hi I'm sure I applied the authorisation exec default command to both the line and vty, but looking at the running config they are not showing, will try these commands when I get home and let you know -
wheez
Member Posts: 74 ■■□□□□□□□□
Hi I'm sure I applied the authorisation exec default command to both the line and vty, but looking at the running config they are not showing, will try these commands when I get home and let you know
That is correct. You don't see the authorization exec default commands simply because it's the default you have set in the 'global aaa configuration'.
I've been playing around with this a bit and honestly think it is working as it should. Say you created this view for helpdesk employees and just want them to perform basic throubleshooting (ping and show commands), you obviously don't want them to have the enable password, as that will grant them access to all other commands.
Feel free to correct me if I'm wrong..
WIP: Considering cert path.. :-) -
waymorr
Member Posts: 29 ■□□□□□□□□□
That is correct. You don't see the authorization exec default commands simply because it's the default you have set in the 'global aaa configuration'.
I've been playing around with this a bit and honestly think it is working as it should. Say you created this view for helpdesk employees and just want them to perform basic throubleshooting (ping and show commands), you obviously don't want them to have the enable password, as that will grant them access to all other commands.
Feel free to correct me if I'm wrong..
Hi your right in what you are saying but I also tried it with other users and views and tried to grant them access to the global config and it was still messing about!
However I have now got to the bottom of the problem and it seems like it was a GNS3 issue as I tried another platform with the same running config and that works like a charm, so we live and learn