HOW TO CONFIGURE ROLE BASED CLI

How To Configure Role Based CLI Access For Network Administrators Or Users On A Cisco Router: Security Implementation The network

Diagram and the addressing scheme in the network diagram is used for the configuration experimentation. Role based CLI Access provide more flexibility than that assigning privilege level, because it specify and define which command are available to a specific role assigned to network administrator. Role based CLI Access allow network administrator to assigned different views of router configuration to users. Each view defined what users can access through CLI commands. A view is an administrative role that is created with limited privilege or unlimited privilege to access network device, in this case a Cisco router. Role based CLI Access provides important functions such as Security, Availability, and Operational efficient and not limited to this function alone. Role based CLI Access provide the following three type of views and each view is used by administrator to controlled which command are available to users or other network administrator. These views are important, especially where there are numerous network administrators that are carrying out different roles within an organization. Root view: When root view is configured for a network administrator, the access level is equivalent to level 15 of the privileges level. Though, they have different functionality, because root view user can configure, add and remove configurations from the view assigned. Note that privileges level and root view are different methods used for controlling and assigning access and what a users can and cannot do when connected to a network device such as router. CLI views: This view is a standalone view, which it does not inherent commands from other views such as root view or Super view. As a result, the same command can be used in multiple views. Super view: This is the highest view and is where network administrator can define which command is allowed on the router and which is visible viewed by other administrator that are working in an organisation. Super view users can configure multiple Super views in a CLI view. Note that a command cannot be configured for a super view, without been added to CLI view and the CLI view added to super view. Users who logged into a Super view have access to commands configured for CLI view that are part of Super view. Password used by supper view user can be used to switch between supper view and CLI view. Note that when administrators delete supper view it does not delete CLI view. Note: To create a view, Authentication, Authorization and Accounting (AAA) need to be configured or enabled on the Cisco router before a view can be created and configured. For an administrator to configured or alter a views, the administrator must be login as a root view. A root view must first be created before creating any view, because the root view has the privilege to create views. The process of configuring a View are Enable AAA Create a view (there are maximum limit of 15 views that can be configured in a Cisco router. Though , Cisco router might be different, so it is a good idea to check) Assigned a secret password to the view if one is not already available Assigned command to the select view Exit and save the configuration

The process of creating and configuring a supper view after creating root view are listed below. Note an administrator must be in root view to configure a supper views and another views. Create a view Assigned a secret password Assigned an existing view already configured. Exit supper view and save configuration

How to assigned and configured Role based CLI Access for users or network administrator based on their functions.

Role Based Configuration CLI Access

Helpdesk user will be configured to use selected show command Support Tech user will be configured to view all configurations, but not allowed to make changes to the router including
debug command

IT Head will be configured to have access to all high level functionality command such as show, config, debug and others
How to Configuring enable secret and console line on EDGE-Router if one is not already been configured. EDGE-Router>enable EDGE-Router# conf t EDGE-Router(config)#enable secret irfee100 EDGE-Router(config)#line console 0 EDGE-Router(config-line)#password free EDGE-Router(config-line)#login EDGE-Router(config-line)#exit EDGE-Router(config)#exit EDGE-Router#copy run start On the EDGE-Router -How to Configuring the AAA, enable the Root View and enter the enable secret password configured. EDGE-Router#conf t EDGE-Router(config)#aaa new-model EDGE-Router(config)#exit EDGE-Router#enable view Password: skibbz100 'EDGE-Router#%PARSER-6-VIEW_SWITCH: successfully set to view root.' EDGE-Router# copy run start Enable view (Enable the Root view ) Role Base View Base Examination After Configuration

How to Configured and assign Helpdesk Role-base view to include show version, show parser view and show ip interface brief. First enter the root view using to configured and assigned role bases view. EDGE-Router#enable view Password: irfee100 EDGE-Router#%PARSER-6-VIEW_SWITCH: successfully set to view root. EDGE-Router#conf t EDGE-Router(config)#parser view Helpdesk EDGE-Router(config-view)#%PARSER-6-VIEW_CREATED: view Helpdesk successfully created. EDGE-Router(config-view)#secret helpdeskirfee EDGE-Router(config-view)#command exec include show version EDGE-Router(config-view)#command exec include show parser view

EDGE-Router(config-view)#command exec include show ip interface EDGE-Router(config-view)#exit EDGE-Router(config)#exit EDGE-Router#copy run start EDGE-Router#enable view Helpdesk Password: helpdeskirfee EDGE-Router#%PARSER-6-VIEW_SWITCH: successfully set to view Helpdesk. EDGE-Router#show parser view Current view is Helpdesk How to Configured and assign Support Tech Role-base view to allow all the show command EDGE-Router>en EDGE-Router#enable view Password: irfee100 EDGE-Router#%PARSER-6-VIEW_SWITCH: successfully set to view root. EDGE-Router#conf t EDGE-Router(config)#parser view SupportTech EDGE-Router(config-view)#%PARSER-6-VIEW_CREATED: view SupportTech successfully created. EDGE-Router(config-view)#secret supporttechirfee EDGE-Router(config-view)#command exec include all show EDGE-Router(config-view)#end EDGE-Router#copy run start EDGE-Router#enable view SupportTech Password: supporttechirfee EDGE-Router#%PARSER-6-VIEW_SWITCH: successfully set to view SupportTech. EDGE-Router#show parser view Current view is SupportTech How to Configured and assign IT Head Role-base view to include all show, config and debug, reload EDGE-Router>en EDGE-Router#enable view Password: irfee100 EDGE-Router#%PARSER-6-VIEW_SWITCH: successfully set to view root. EDGE-Router#conf t EDGE-Router(config)#parser view ITHead EDGE-Router(config-view)#%PARSER-6-VIEW_CREATED: view ITHead successfully created. EDGE-Router(config-view)#secret itheadirfee EDGE-Router(config-view)#command exec include all show EDGE-Router(config-view)#command exec include all config terminal EDGE-Router(config-view)#command exec include all debug EDGE-Router(config-view)#command exec include all reload EDGE-Router(config-view)#exit EDGE-Router(config)#exit EDGE-Router#copy run start EDGE-Router#enable view ITHead Password: itheadirfee EDGE-Router#%PARSER-6-VIEW_SWITCH: successfully set to view ITHead. EDGE-Router#show parser view Current view is ITHead Helpdesk Role-base view Examination after Configuration

SupportTech Role-base view Examination after Configuration

To delete a view, use the command no parser view, see command use below EDGE-Router#show parser view SupportTech Note that you can switched from Role based view to view assigned to users or administrator, see diagram.

The configuration can be verified using the show running config from the root view. EDGE-Router#show running-config You dont have to use the save command When configuration made to router as using the super view such as ITHead. Configure Role based CLI Access is more enhance more than Configuring a privilege level.