1 - 7

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7

Copyright

© 2007, Cisco Systems, Inc

Lab 5.7 Configuring Role-Based CLI Views

Learning Objectives

• Configure prerequisites to role-based views

• Enable AAA on a router

• Change views on a router

• Create views and superviews

Topology Diagram

Scenario

In Lab 5.4, “Enhancing Router Security,” you assigned privilege levels to
specific commands entered at the command-line interface (CLI) prompt. Users
receive authorization for different command sets by authenticating with a
password.

In this lab, you will configure role-based CLI views, a newer method of
controlling which Cisco IOS commands a user can execute.

Step 1: Configure an Enable Secret Password

Set the R1 enable secret password to “cisco”.

R1(config)# enable secret cisco

Step 2: Enable AAA

One of the requirements for configuring role-based CLI views is enabling
authentication, authorization, and accounting (AAA) services. To begin, create a
user account in the local database with the username and password “cisco”.
The local database should be the only login authentication method in use. If you
do not set a default login method list when enabling AAA, you may get locked
out of the router if your EXEC session on the console line terminates. For more
information on configuring AAA with a local database, see Lab 5.8, “Configuring
AAA Using Local Authentication.”

R1(config)# username cisco password cisco
R1(config)# aaa new-model
R1(config)# aaa authentication login default local

When are you prompted to enter a username and password?

If there are no user accounts configured in the local database, are users able to
login?

Describe the concept of authentication in terms of networking and standard
authentication types.

Describe the concept of authorization in terms of networking and common items
in need of authorization.

.

Step 3: Change to the Root View

Role-based CLI views constitute a system of configuring individual roles on a
router. Each role has access to a specific group of commands. Configuring
roles to control command usage is much more granular than configuring
privilege levels, because giving more commands to a single user does not
necessarily mean that the user is authorized to access commands at a lower
privilege commands. This method of configuring command usage is newer,
introduced in the Cisco IOS 12.3T software train. As of the time of this writing,
you may configure up to 15 views on a router, not including the root view.

To show the current view, use the show parser view command. Compare this
output to that of the show privilege command.

2 - 7

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7

Copyright

© 2007, Cisco Systems, Inc

R1# show privilege
Current privilege level is 15

R1# show parser view
No view is active ! Currently in Privilege Level Context

Available command sets are determined by either privilege level or by the view
being used, but not both simultaneously.

In order to configure the views feature, you must first access the root view,
which is not the same as being privilege level 15. Like the root user on a UNIX
system, the root view has full authorization to all CLI commands. Issue the
enable view name command using the root keyword in the name field.

Take special note that the root view password is the same as the enable
password. You will notice that a message is logged when the view is changed.
After entering the root view, display the privilege level and view.

R1# enable view root
Password: cisco

R1#

*Feb 12 05:09:06.442: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

R1# show privilege
Currently in View Context with view 'root'
R1# show parser view
Current view is 'root'

Why must command authorization be managed by either views or privilege
levels?

Step 4: Create Views

The role-based view feature is fairly simple to implement. To create a view,
issue the parser view name command in global configuration mode. An
informational message that a new view has been created is logged to the
console.

Create a view named INTVIEW, which has monitoring capabilities for physical
and logical interfaces. Before defining the view’s command set, you must set a
password for the view using the view configuration secret password command.
The password is stored as an MD5 hash value. Use “iv” as the password.
Choose commands for the view using the commands prompt include
command-sequence command. Assign this view access to two commands:
show interface and clear counters.

R1(config)# parser view INTVIEW

3 - 7

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7

Copyright

© 2007, Cisco Systems, Inc

R1(config-view)#
*Feb 12 05:12:32.954: %PARSER-6-VIEW_CREATED: view 'INTVIEW' successfully
created.
R1(config-view)# secret iv
R1(config-view)# commands exec include show interface
R1(config-view)# commands exec include clear counters

Before logging into the new view, display the commands that were just added.

R1# show run | section view
parser view INTVIEW
secret 5 $1$CPI4$HIAH8aEqPztTPW0VLBYT60
commands exec include show interfaces
commands exec include show
commands exec include clear counters
commands exec include clear

When you assign a privilege level to a command sequence, each keyword in
the sequence must have a corresponding privilege command in the
configuration. Similarly, role-based view command sequences must also
explicitly allow sequenced keywords in CLI commands, because of the manner
in which the parser handles commands.

Log in to the INTVIEW view with the enable view name command using the “iv”
password, and then enter ? to view the available command set.

R1# enable view INTVIEW
Password: iv

R1#

*Feb 12 05:32:31.106: %PARSER-6-VIEW_SWITCH: successfully set to view
'INTVIEW'.

R1# ?
Exec commands:
clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information

R1# show ?
flash: display information about flash: file system
interfaces Interface status and configuration
parser Display parser information

R1# show interfaces
FastEthernet0/0 is administratively down, line protocol is down
Hardware is MV96340 Ethernet, address is 0019.0623.4380 (bia 0019.0623.4380)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
<OUTPUT OMITTED>

R1# clear ?
counters Clear counters on one or all interfaces

R1# clear counters
Clear "show interface" counters on all interfaces [confirm]
R1#

4 - 7

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7

Copyright

© 2007, Cisco Systems, Inc

*Feb 12 05:32:55.318: %CLEAR-5-COUNTERS: Clear counter on all interfaces by
console

Log out of the INTVIEW view and log in to the root view before proceeding.

R1# enable view root
Password: cisco

R1#
*Feb 12 05:35:25.174: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Create another view named INTSHUT, and assign this view access to the
shutdown and no shutdown commands for the Fast Ethernet interfaces and
the menus necessary to configure these commands. Make the password for
this view “is”. If your router has different ports, use any two existing ports on the
router.

Which commands do you have to add to this view to allow the access defined
above?

Enter these commands as follows:

R1(config)# parser view INTSHUT
R1(config-view)#

*Feb 12 05:36:37.738: %PARSER-6-VIEW_CREATED: view 'INTSHUT' successfully
created.

R1(config-view)# secret is
R1(config-view)# commands exec include configure terminal
R1(config-view)# commands configure include interface
R1(config-view)# commands configure include interface fastethernet0/0
R1(config-view)# commands configure include interface fastethernet0/1
R1(config-view)# commands interface include shutdown
R1(config-view)# commands interface include no shutdown

Enter this new view to test out its privileges. Again, use ? to view the available
command set.

R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# ?
Configure commands:
do To run exec commands in config mode
exit Exit from configure mode
interface Select an interface to configure

R1(config)# interface fastethernet0/0
R1(config-if)# ?
Interface configuration commands:
exit Exit from interface configuration mode

5 - 7

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7

Copyright

© 2007, Cisco Systems, Inc

no Negate a command or set its defaults
shutdown Shutdown the selected interface

R1(config-if)# no shutdown
R1(config-if)#

*Feb 12 06:28:36.394: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state
to up
*Feb 12 06:28:37.394: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up

R1(config-if)#shutdown

Return to the root view.

R1# enable view root
Password: cisco

R1#

Step 5: Create a Superview

A superview is the union of one or more regular views. It is created like a
regular view, but you use the superview keyword to define it. Name this
superview INTADMIN with the password “ia”. Finally, add the two existing views
to this superview using the view name command.

R1(config)# parser view INTADMIN superview
R1(config-view)#

*Feb 12 06:35:06.566: %PARSER-6-SUPER_VIEW_CREATED: super view 'INTADMIN'
successfully created.

R1(config-view)# secret ia
R1(config-view)# view INTVIEW

*Feb 12 06:35:21.086: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTVIEW added to
superview INTADMIN.

R1(config-view)# view INTSHUT

*Feb 12 06:35:29.594: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTSHUT added to
superview INTADMIN.

While still in the root view, display the available parser views and superviews
with the show parser view all command.

R1# show parser view all
Views/SuperViews Present in System:
INTVIEW
INTSHUT
INTADMIN *
-------(*) represent superview-------
R1#

Enter this view and see the available executable commands.

R1# enable view INTADMIN
Password:

6 - 7

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7

Copyright

© 2007, Cisco Systems, Inc

R1#
*Feb 12 06:36:31.774: %PARSER-6-VIEW_SWITCH: successfully set to view
'INTADMIN'.
R1# ?
Exec commands:
clear Reset functions
configure Enter configuration mode
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information’

Final Configuration

R1# show run
hostname R1
!
enable secret 5 $1$lETz$132w/UItPj25T6EFwChis1
!
aaa new-model
!
aaa authentication login default local
!
username cisco password 0 cisco
!
parser view INTVIEW
secret 5 $1$CPI4$HIAH8aEqPztTPW0VLBYT60
commands exec include show interfaces
commands exec include show
commands exec include clear counters
commands exec include clear
!
parser view INTSHUT
secret 5 $1$yeoh$asrBOTkwESSy.0lpCZgG.1
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands configure include interface FastEthernet0/0
commands configure include interface FastEthernet0/1
!
parser view INTADMIN superview
secret 5 $1$QFfM$GUXOqAtkwSTKt1aKuYKdN/
view INTVIEW
view INTSHUT
end

7 - 7

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7

Copyright

© 2007, Cisco Systems, Inc