Cisco View: Access to the CLI based on roles [Quick Guide]
With the new Cisco IOS version, this feature is now available in version 15.3, this option is called the “ view ” and allows to control orders for users who have access to these facilities.
For example, you can allow a trainee to type the commands that start by “ show” from mode exec. Moreover, since the same mode exec we can ban a specific account the bounding of the configuration of our equipment with the command ‘ show running-config .
in this second part we will see how to configure the view on cisco equipment.
Activate the AAA model:
Router (config) #aaa new-model
create the name of our view (in our case the name will be “it-connect”):
ROUTER (config) # parser view it-connect
once we have validated our view name, we will go to the mode config-view.
This step is to set a password for our view.
ROUTER (config-view) # secret itconnect
for example we want to allow a user to enter only the commands that begin by “ show ‘ and allow him access to configuration mode to configure the Routing and forbid him to display the current configuration and the details of the equipment with the command interfaces” show running-config “and” show interfaces ‘
ROUTER (config-view) # commands exec include all show ROUTER(config-view) # exclude show running-config exec command ROUTER(config-view) # commands exec show interfaces exclude ROUTER(config-view) # include exec commands configure terminal ROUTER(config-view) # commands sets include all route
it creates a user and then associated the “ view ” we have already prepared.
ROUTER (config) # username user01 view it-connect secret password mypass
to test our configuration, we authenticate on the equipment with our account via SSH or Telnet Protocol.
We connect to our view by command enable view view-name
ROUTER > enable view it-connect Password: (is the secret password defined in the configuration view)
test our configuration:
ROUTER # show? AAA AAA Show values aal2 Show commands for AAL2 access-expression List access expression system - More - #show running-config ROUTER ^ % Invalid input detected at ' ^' marker. ROUTER (config) #? Configure commands: do-exec To run exec commands in config mode exit Exit from configure mode router Enable a routing process