Hello, it’s pleasure to meet you again in my short tutorial. Today we will discuss about how to configure role-based access CLI views into our Cisco router. By using role-based command-line interface views, we can provide different sets of configuration information to different administrator. So, we can control exactly what commands an administrator can access in a router.
In this tutorial, we will use CMD Enterprise Network topology as our scenario. In CMD Enterprise, there are one Cisco router, one switch, one syslog server and three different types of administrator, which are Operator, Security Administrator and Network Administrator. Each administrator can only perform the commands which are related to their job. For the information, the operator has ability to:
- Ping and traceroute.
- Use all types of copy command.
- Use some show commands which are not related to security feature.
- Configure the router’s banner, the host name, the interface’s IP address, and the routing protocol.
- Configure Syslog logging solution. This configuration cannot be performed by security administrator.
Another administrator, the security administrator, has the rights to perform the all security related commands in router plus some exec commands such as ping, show and copy commands. The security administrator can configure SSH connection which cannot be configured by the operator. The network administrator is the supervisor for both operator and security administrator. Therefore, he can perform the commands both in operator and security administrator.
Picture 1. CMD Enterprise Network Topology
Moreover, we also has syslog server which can be used for monitoring the network condition. The syslog server’s IP address is 192.168.10.21/24, the IP address of interface fast ethernet 0/0 in CMD router is 192.168.20.1/24 and for interface fast ethernet 0/1 is 192.168.10.1/24.
I. Configure Role-Based Access CLI
The first step in configuring the role-based access CLI view is to enable the AAA function by issuing the following command:
Router_CMD(config)# aaa new-model
Router_CMD(config)# end
Before we enter the second step, let’s we firstly configure the username for super admin and the privilege mode’s password:
Router_CMD(config)# username SuperAdmin privilege 15 secret Cisco
Router_CMD(config)# enable secret Cisco2009
Then, we apply this username into both our console line and virtual terminal line:
Router_CMD(config)# aaa authentication login default local
Router_CMD(config)# line console 0
Router_CMD(config-line)# login authentication default
Router_CMD(config-line)# exit
Router_CMD(config)# line vty 0 4
Router_CMD(config-line)# login authentication default
Router_CMD(config-line)# exit
The second step is to enable the root view. The root view is represented by the set of commands available to an administrator who is in privilege level of 15. Issuing the following command in privilege mode:
Router_CMD# enable view
Password: (input the password which is used to access privilege mode)
If you do not configure the password for privilege mode, you can not access the root view. To verify our current view, issue the following command: “show privilege”.
The third step is to create and configure the view for different administrator. Issue the “parser view name” command to create a new view. Please remember that the view name is case sensitive. Before you can specify a command available to a particular view, the view’s password is firstly required to be set. For example:
A. Operator View
Router_CMD(config)# parser view operator_mode
Router_CMD(config-view)# secret operatorpswd
Router_CMD(config-view)# commands exec include ping
Router_CMD(config-view)# commands exec include traceroute
Router_CMD(config-view)# commands exec include all show
Router_CMD(config-view)# commands exec include all copy
Router_CMD(config-view)# commands exec include configure terminal
Router_CMD(config-view)# commands configure include banner
Router_CMD(config-view)# commands configure include hostname
Router_CMD(config-view)# commands configure include all interface
Router_CMD(config-view)# commands configure include all router
Router_CMD(config-view)# commands configure include-exclusive all logging
Router_CMD(config-view)#exit
The explanation for “commands” command is shown below:
Excerpt from Cisco.com
| commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
Example: Router(config-view)# commands exec include show version |
Adds commands or interfaces to a view.
•parser-mode—The mode in which the specified command exists. •include—Adds a command or an interface to the view and allows the same command or interface to be added to an additional view. •include-exclusive—Adds a command or an interface to the view and excludes the same command or interface from being added to all other views. •exclude—Excludes a command or an interface from the view; that is, customers cannot access a command or an interface. •all—A “wildcard” that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view. •interface interface-name— Interface that is added to the view. •command—Command that is added to the view. |
When you have finished your configuration, please remember to issue the “exit” command in order to save your configuration in the running-config file. If you issue another command for example the CTRL+Z, the configuration commands on operator_mode view will not be saved.
B. Security Administrator View
Router_CMD(config)# parser view security_mode
Router_CMD(config-view)# secret secadminpswd
Router_CMD(config-view)# commands exec include ping
Router_CMD(config-view)# commands exec include all copy
Router_CMD(config-view)# commands exec include all show
Router_CMD(config-view)# commands exec include-exclusive all show crypto
Router_CMD(config-view)# commands exec include-exclusive all show key
Router_CMD(config-view)# commands exec include configure terminal
Router_CMD(config-view)# commands configure include-exclusive all crypto
Router_CMD(config-view)# commands configure include-exclusive all key
Router_CMD(config-view)# commands configure include all ip
Router_CMD(config-view)# commands configure include all line
Router_CMD(config-view)# exit
C. Network Administrator View
Because the network administrator has the ability to use all the commands both in operator and security administrator, the type of this administrator’s view is superview.
Router_CMD(config)# parser view network_mode superview
Router_CMD(config-view)# secret netadminpswd
Router_CMD(config-view)# view security_mode
Router_CMD(config-view)# view operator_mode
Router_CMD(config-view)# exit
Then, we assign each view to these three different administrators:
Router_CMD(config)# username Operator view operator_mode secret operatorpswd
Router_CMD(config)# username SecAdmin view security_mode secret secadminpswd
Router_CMD(config)# username NetAdmin view network_mode secret netadminpswd
Router_CMD(config)# aaa authorization console
/ To apply authorization to a console, use the aaa authorization console command in global configuration mode/
Router_CMD(config)# aaa authorization exec default local
/ To determine if the user is allowed to run an EXEC shell. /
II. Verify Role-Based Access CLI
Now, it is time to prove that we can control exactly what commands an administrator has access to. First, try to use the operator mode to configure router for syslog, and then use the security administrator mode to configure SSH connection.
A. Configure the Router for Syslog
I use kiwisyslog as my syslog server, and it’s free. In order to store log message from router (syslog client) to kiwi syslog (syslog server) please issue the following command:
1. Router_CMD(config)# logging 192.168.10.21
The logging syslog-server-address command points to the syslog server’s IP address.
2. Router_CMD(config)# logging trap notifications
The logging trap command sets up the trap level. There are eight levels of trap messages which are emergency, alert, critical, error, warning, notice, informational and debug. The debug is the highest level and provides all the trap messages from its level below.
3. Router_CMD(config)# logging source-interface FastEthernet0/1
The logging source-interface local-interface command identifies local interface that forwards logs to the server.
To verify the syslog configuration, issue the following command: show logging
B. Enabling Secure Shell on a Router
Secure Shell was designed to provide secure connection between our router and the management workstation. The usual method we used when configuring router from terminal emulation is by using Telnet program. But, telnet has some drawbacks, because it cannot provide encryption for the transferring information. So, it is easy to intercept. When you configure SSH on a Cisco Router, the router acts as an SSH server. Following are the steps required to configure a Cisco IOS router to act as an SSH server:
1. Configure a domain name on your router:
Router_CMD(config)# ip domain-name CMD.com
2. Generate the security key used by SSH
Router_CMD(config)# crypto key generate rsa general-keys modulus 512
3. Specify the SSH version, depends on what version do you want to use:
Router_CMD(config)# ip ssh version 2
The default value for authentication timeout is 120 secs, and you can change this value by issuing the following command: ip ssh timeout seconds from global configuration mode. You can also specify the number of SSH authentication retries before an interface is reset by issuing the following command: ip ssh authentication-retries number (Its default value is 3).
4. Apply ssh connections in our router using the transport input ssh command in line configuration mode, for all our vty lines. Please remember to prevent Telnet session using the no transport input telnet in line configuration mode in order to ensure that only ssh connection is allowed in this router.
I hope this tutorial informative for you, and thank you for reading.
Filed under: cisco
sir,how will network this topology, i have a 3 routers, 2 routers connect to the one router,and also i have to computers to connect each one router,,sir plz reply this message sir tnx
In my humble opinion, what I can suggest to you are shown below:
1. My first suggestion is copy all your user account to all these three routers. This database is the same one required for establishing role-based CLI.
2. Another suggestion, you can use an external database server such as Cisco Secure Access Control server or Radius server. Using this server is very scalable because all infrastructure devices access a central server. For more information about the tutorial of Cisco Secure ACS, you may visit this provided link.
I hope this information is helpful to you. Thanks.