Downloads |
Table Of Contents
Prerequisites for Role-Based CLI Access
Restrictions for Role-Based CLI Access
Information About Role-Based CLI Access
View Authentication via a New AAA Attribute
How to Use Role-Based CLI Access
Configuring a Lawful Intercept View
Monitoring Views and View Users
Configuration Examples for Role-Based CLI Access
Example: Configuring a CLI View
Example: Configuring a Lawful Intercept View
Example: Configuring a Superview
Feature Information for Role-Based CLI Access
Role-Based CLI Access
First Published: February 24, 2004Last Updated: March 30, 2011The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Role-Based CLI Access" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Role-Based CLI Access
•
•
•
•
•
Prerequisites for Role-Based CLI Access
Your image must support CLI views.
Restrictions for Role-Based CLI Access
Lawful Intercept Images Limitation
Because CLI views are a part of the Cisco IOS parser, CLI views are a part of all platforms and Cisco IOS images. However, the lawful intercept view is available only in images that contain the lawful intercept subsystem.
Maximum Number of Allowed Views
The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include the root view.)
Information About Role-Based CLI Access
•
Benefits of Using CLI Views
Views: Detailed Access Control
Although users can control CLI access via both privilege levels and enable mode passwords, these functions do not provide network administrators with the necessary level of detail needed when working with Cisco IOS routers and switches. CLI views provide a more detailed access control capability for network administrators, thereby, improving the overall security and accountability of Cisco IOS software.
As of Cisco IOS Release 12.3(11)T, network administrators can also specify an interface or a group of interfaces to a view; thereby, allowing access on the basis of specified interfaces.
Root View
When a system is in "root view," it has all of the access privileges as a user who has level 15 privileges. If the administrator wishes to configure any view to the system (such as a CLI view, a superview, or a lawful intercept view), the system must be in root view.
The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. Also, when you are in a CLI view, you have access only to the commands that have been added to that view by the root view user.
About Lawful Intercept Views
Like a CLI view, a lawful intercept view restricts access to specified commands and configuration information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that store information about calls and users.
Commands available in lawful intercept view belong to one of the these categories:
•
•
About Superviews
A superview consists of one or more CLI views, which allow users to define what commands are accepted and what configuration information is visible. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users.
Superviews contain these characteristics:
•
•
•
•
•
View Authentication via a New AAA Attribute
View authentication is performed by an external authentication, authorization, and accounting (AAA) server via the new attribute "cli-view-name."
AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
How to Use Role-Based CLI Access
•
•
•
•
Configuring a CLI View
Perform this task to create a CLI view and add commands or interfaces to the view, as appropriate.
Prerequisites
Before you create a view, you must perform the following tasks:
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Troubleshooting Tips
After you have successfully created a view, a system message such as the following is displayed:
%PARSER-6-VIEW_CREATED: view `first' successfully created.After you have successfully deleted a view, a system message such as the following is displayed:
%PARSER-6-VIEW_DELETED: view `first' successfully deleted.
You must associate a password with a view. If you do not associate a password, and you attempt to add commands to the view via the commands command, a system message such as the following will be displayed:
%Password not set for view <viewname>.Configuring a Lawful Intercept View
Perform this task to initialize and configure a view for lawful-intercept-specific commands and configuration information.
Prerequisites
Before you initialize a lawful intercept view, ensure that the privilege level is set to 15 via the privilege command.
Restrictions
Only an administrator or a user who has level 15 privileges can initialize a lawful intercept view.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Troubleshooting Tips
To display information for all users who have access to a lawful intercept view, issue the show users lawful-intercept command. (This command is available only to authorized lawful intercept view users.)
Configuring a Superview
Perform this task to create a superview and add at least one CLI view to the superview.
Prerequisites
Before adding a CLI view to a superview, ensure that the CLI views that are added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.
Restrictions
You can add a view to a superview only after a password has been configured for the superview (via the secret 5 command). Thereafter, issue the view command in view configuration mode to add at least one CLI view to the superview.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Monitoring Views and View Users
To display debug messages for all views—root, CLI, lawful intercept, and super—use the debug parser view command in privileged EXEC mode.
Configuration Examples for Role-Based CLI Access
•
•
•
•
Example: Configuring a CLI View
The following example shows how to configure two CLI views, "first" and "second." Thereafter, you can verify the CLI view in the running configuration.
Router(config)# parser view first00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created.Router(config-view)# secret 5 firstpassRouter(config-view)# command exec include show versionRouter(config-view)# command exec include configure terminalRouter(config-view)# command exec include all show ipRouter(config-view)# exitRouter(config)# parser view second00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.Router(config-view)# secret 5 secondpassRouter(config-view)# command exec include-exclusive show ip interfaceRouter(config-view)# command exec include logoutRouter(config-view)# exit!!Router(config-view)# do show run | beg viewparser view firstsecret 5 $1$MCmh$QuZaU8PIMPlff9sFCZvgW/commands exec include configure terminalcommands exec include configurecommands exec include all show ipcommands exec include show versioncommands exec include show!parser view secondsecret 5 $1$iP2M$R16BXKecMEiQesxLyqygW.commands exec include-exclusive show ip interfacecommands exec include show ipcommands exec include showcommands exec include logout!Example: Verifying a CLI View
After you have configured the CLI views "first" and "second," you can issue the enable view command to verify which commands are available in each view. The following example shows which commands are available inside the CLI view "first" after the user has logged into this view. (Because the show ip command is configured with the all option, a complete set of suboptions is shown, except the show ip interface command, which is using the include-exclusive keyword in the second view.)
Router# enable view firstPassword:00:28:23:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.Router# ?Exec commands:configure Enter configuration modeenable Turn on privileged commandsexit Exit from the EXECshow Show running system informationRouter# show ?ip IP informationparser Display parser informationversion System hardware and software statusRouter# show ip ?access-lists List IP access listsaccounting The active IP accounting databasealiases IP alias tablearp IP ARP tableas-path-access-list List AS path access listsbgp BGP informationcache IP fast-switching route cachecasa display casa informationcef Cisco Express Forwardingcommunity-list List community-listdfp DFP informationdhcp Show items in the DHCP databasedrp Director response protocoldvmrp DVMRP informationeigrp IP-EIGRP show commandsextcommunity-list List extended-community listflow NetFlow switchinghelper-address helper-address tablehttp HTTP informationigmp IGMP informationirdp ICMP Router Discovery Protocol...Example: Configuring a Lawful Intercept View
The following example shows how to configure a lawful intercept view, add users to the view, and verify the users that were added:
!Initialize the LI-View.Router(config)# li-view lipass user li_admin password li_adminpass00:19:25:%PARSER-6-LI_VIEW_INIT:LI-View initialized.Router(config)# end! Enter the LI-View; that is, check to see what commands are available within the view.Router# enable view li-viewPassword:Router#00:22:57:%PARSER-6-VIEW_SWITCH:successfully set to view 'li-view'.Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# parser view li-viewRouter(config-view)# ?View commands:commands Configure commands for a viewdefault Set a command to its defaultsexit Exit from view configuration modename New LI-View name ===This option only resides in LI View.no Negate a command or set its defaultspassword Set a password associated with CLI viewsRouter(config-view)#! NOTE:LI View configurations are never shown as part of `running-configuration'.! Configure LI Users.Router(config)# username lawful-intercept li-user1 password li-user1passRouter(config)# username lawful-intercept li-user2 password li-user2pass! Displaying LI User information.Router# show users lawful-interceptli_adminli-user1li-user2Router#Example: Configuring a Superview
The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":
!parser view su_view1 superviewsecret 5 <encoded password>view view_oneview view_two!parser view su_view2 superviewsecret 5 <encoded password>view view_threeview view_four!Additional References
Related Documents
Cisco IOS commands
Security commands
SNMP, MIBs, CLI configuration
Cisco IOS Network Management Configuration Guide, Release 15.0.
Privilege levels
MIBs
None
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:
Technical Assistance
Feature Information for Role-Based CLI Access
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2004-2011 Cisco Systems, Inc. All rights reserved
