Cisco View: Access to the CLI based on roles [Quick Guide]

7:29 pm May 5, 201715229

I. introduction

have you ever thought to define the commands to type by each person on your team to the level of Cisco equipment ?

With the new Cisco IOS version, this feature is now available in version 15.3, this option is called the “ view ” and allows to control orders for users who have access to these facilities.

For example, you can allow a trainee to type the commands that start by “ show” from mode exec. Moreover, since the same mode exec we can ban a specific account the bounding of the configuration of our equipment with the command ‘ show running-config .

II. Procedure

in this second part we will see how to configure the view on cisco equipment.

Activate the AAA model:

 Router (config) #aaa new-model 

create the name of our view (in our case the name will be “it-connect”):

 ROUTER (config) # parser view it-connect 

once we have validated our view name, we will go to the mode config-view.

This step is to set a password for our view.

 ROUTER (config-view) # secret itconnect 

for example we want to allow a user to enter only the commands that begin by “ show ‘ and allow him access to configuration mode to configure the Routing and forbid him to display the current configuration and the details of the equipment with the command interfaces” show running-config “and” show interfaces

 ROUTER (config-view) # commands exec include all show ROUTER(config-view) # exclude show running-config exec command
ROUTER(config-view) # commands exec show interfaces exclude ROUTER(config-view) # include exec commands configure terminal ROUTER(config-view) # commands sets include all route 

it creates a user and then associated the “ view ” we have already prepared.

 ROUTER (config) # username user01 view it-connect secret password mypass 

to test our configuration, we authenticate on the equipment with our account via SSH or Telnet Protocol.

We connect to our view by command enable view view-name

 ROUTER > enable view it-connect Password: (is the secret password defined in the configuration view) 

test our configuration:

 ROUTER # show?
 AAA AAA Show values aal2 Show commands for AAL2 access-expression List access expression system - More - #show running-config ROUTER ^ % Invalid input detected at ' ^' marker.

ROUTER (config) #?
 Configure commands: do-exec To run exec commands in config mode exit Exit from configure mode router Enable a routing process