background image

 

1 - 7 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7 

Copyright 

© 2007, Cisco Systems, Inc 

Lab 5.7 Configuring Role-Based CLI Views 

Learning Objectives 

•  Configure prerequisites to role-based views 

•  Enable AAA on a router 

•  Change views on a router 

•  Create views and superviews 

Topology Diagram 

 

Scenario 

In Lab 5.4, “Enhancing Router Security,” you assigned privilege levels to 
specific commands entered at the command-line interface (CLI) prompt. Users 
receive authorization for different command sets by authenticating with a 
password. 

In this lab, you will configure role-based CLI views, a newer method of 
controlling which Cisco IOS commands a user can execute.  

Step 1: Configure an Enable Secret Password 

Set the R1 enable secret password to “cisco”. 

 
R1(config)# enable secret cisco 

Step 2: Enable AAA 

One of the requirements for configuring role-based CLI views is enabling 
authentication, authorization, and accounting (AAA) services. To begin, create a 
user account in the local database with the username and password “cisco”. 
The local database should be the only login authentication method in use. If you 
do not set a default login method list when enabling AAA, you may get locked 
out of the router if your EXEC session on the console line terminates. For more 
information on configuring AAA with a local database, see Lab 5.8, “Configuring 
AAA Using Local Authentication.” 

 
R1(config)# username cisco password cisco 
R1(config)# aaa new-model 
R1(config)# aaa authentication login default local 

background image

When are you prompted to enter a username and password? 

 

 

If there are no user accounts configured in the local database, are users able to 
login? 

 

 

 

Describe the concept of authentication in terms of networking and standard 
authentication types. 

 

 

 

Describe the concept of authorization in terms of networking and common items 
in need of authorization. 

 

 

.  

 

Step 3: Change to the Root View 

Role-based CLI views constitute a system of configuring individual roles on a 
router. Each role has access to a specific group of commands. Configuring 
roles to control command usage is much more granular than configuring 
privilege levels, because giving more commands to a single user does not 
necessarily mean that the user is authorized to access commands at a lower 
privilege commands. This method of configuring command usage is newer, 
introduced in the Cisco IOS 12.3T software train. As of the time of this writing, 
you may configure up to 15 views on a router, not including the root view. 

To show the current view, use the show parser view command. Compare this 
output to that of the show privilege command. 

 

2 - 7 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7 

Copyright 

© 2007, Cisco Systems, Inc 

background image

R1# show privilege
Current privilege level is 15 
 
R1# show parser view
No view is active ! Currently in Privilege Level Context 

Available command sets are determined by either privilege level or by the view 
being used, but not both simultaneously. 

In order to configure the views feature, you must first access the root view, 
which is not the same as being privilege level 15. Like the root user on a UNIX 
system, the root view has full authorization to all CLI commands. Issue the 
enable view name command using the root keyword in the name field.  

Take special note that the root view password is the same as the enable 
password. You will notice that a message is logged when the view is changed. 
After entering the root view, display the privilege level and view. 

 
R1# enable view root
Password: cisco 
 
R1# 
 
*Feb 12 05:09:06.442: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'. 
 
R1# show privilege  
Currently in View Context with view 'root' 
R1# show parser view 
Current view is 'root' 

Why must command authorization be managed by either views or privilege 
levels? 

 

 

Step 4: Create Views 

The role-based view feature is fairly simple to implement. To create a view, 
issue the parser view name command in global configuration mode. An 
informational message that a new view has been created is logged to the 
console.  

Create a view named INTVIEW, which has monitoring capabilities for physical 
and logical interfaces. Before defining the view’s command set, you must set a 
password for the view using the view configuration secret password command. 
The password is stored as an MD5 hash value. Use “iv” as the password. 
Choose commands for the view using the commands prompt include 
command-sequence command. Assign this view access to two commands: 
show interface and clear counters

 
R1(config)# parser view INTVIEW 

3 - 7 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7 

Copyright 

© 2007, Cisco Systems, Inc 

background image

R1(config-view)# 
*Feb 12 05:12:32.954: %PARSER-6-VIEW_CREATED: view 'INTVIEW' successfully 
created. 
R1(config-view)# secret iv      
R1(config-view)# commands exec include show interface 
R1(config-view)# commands exec include clear counters 

Before logging into the new view, display the commands that were just added. 

 
R1# show run | section view 
parser view INTVIEW 
 secret 5 $1$CPI4$HIAH8aEqPztTPW0VLBYT60 
 commands exec include show interfaces 
 commands exec include show 
 commands exec include clear counters 
 commands exec include clear 

When you assign a privilege level to a command sequence, each keyword in 
the sequence must have a corresponding privilege command in the 
configuration. Similarly, role-based view command sequences must also 
explicitly allow sequenced keywords in CLI commands, because of the manner 
in which the parser handles commands. 

Log in to the INTVIEW view with the enable view name command using the “iv” 
password, and then enter ? to view the available command set. 

 
R1# enable view INTVIEW 
Password: iv 
 
R1# 
 
*Feb 12 05:32:31.106: %PARSER-6-VIEW_SWITCH: successfully set to view 
'INTVIEW'. 
 
R1# ? 
Exec commands: 
  clear   Reset functions 
  enable  Turn on privileged commands 
  exit    Exit from the EXEC 
  show    Show running system information 
 
R1# show ? 
  flash:      display information about flash: file system 
  interfaces  Interface status and configuration 
  parser      Display parser information 
          
R1# show interfaces  
FastEthernet0/0 is administratively down, line protocol is down  
  Hardware is MV96340 Ethernet, address is 0019.0623.4380 (bia 0019.0623.4380) 
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,  
     reliability 255/255, txload 1/255, rxload 1/255 
<OUTPUT OMITTED> 
           
R1# clear ? 
  counters  Clear counters on one or all interfaces 
 
R1# clear counters 
Clear "show interface" counters on all interfaces [confirm] 
R1# 
 

4 - 7 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7 

Copyright 

© 2007, Cisco Systems, Inc 

background image

*Feb 12 05:32:55.318: %CLEAR-5-COUNTERS: Clear counter on all interfaces by 
console 

Log out of the INTVIEW view and log in to the root view before proceeding. 

 
R1# enable view root 
Password: cisco 
 
R1# 
*Feb 12 05:35:25.174: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'. 

Create another view named INTSHUT, and assign this view access to the 
shutdown and no shutdown commands for the Fast Ethernet interfaces and 
the menus necessary to configure these commands. Make the password for 
this view “is”. If your router has different ports, use any two existing ports on the 
router. 

Which commands do you have to add to this view to allow the access defined 
above? 

 

 

 

Enter these commands as follows: 

 
R1(config)# parser view INTSHUT 
R1(config-view)# 
 
*Feb 12 05:36:37.738: %PARSER-6-VIEW_CREATED: view 'INTSHUT' successfully 
created. 
 
R1(config-view)# secret is 
R1(config-view)# commands exec include configure terminal 
R1(config-view)# commands configure include interface 
R1(config-view)# commands configure include interface fastethernet0/0 
R1(config-view)# commands configure include interface fastethernet0/1 
R1(config-view)# commands interface include shutdown 
R1(config-view)# commands interface include no shutdown 

Enter this new view to test out its privileges. Again, use ? to view the available 
command set. 

 
R1# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z. 
R1(config)# ? 
Configure commands: 
  do         To run exec commands in config mode 
  exit       Exit from configure mode 
  interface  Select an interface to configure 
 
R1(config)# interface fastethernet0/0 
R1(config-if)# ? 
Interface configuration commands: 
  exit      Exit from interface configuration mode 

5 - 7 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7 

Copyright 

© 2007, Cisco Systems, Inc 

background image

  no        Negate a command or set its defaults 
  shutdown  Shutdown the selected interface 
 
R1(config-if)# no shutdown 
R1(config-if)# 
 
*Feb 12 06:28:36.394: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state 
to up 
*Feb 12 06:28:37.394: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
FastEthernet0/0, changed state to up 
 
R1(config-if)#shutdown 

Return to the root view. 

 
R1# enable view root 
Password: cisco 
 
R1# 

Step 5: Create a Superview 

A superview is the union of one or more regular views. It is created like a 
regular view, but you use the superview keyword to define it. Name this 
superview INTADMIN with the password “ia”. Finally, add the two existing views 
to this superview using the view name command. 

 
R1(config)# parser view INTADMIN superview 
R1(config-view)# 
 
*Feb 12 06:35:06.566: %PARSER-6-SUPER_VIEW_CREATED: super view 'INTADMIN' 
successfully created. 
 
R1(config-view)# secret ia 
R1(config-view)# view INTVIEW 
 
*Feb 12 06:35:21.086: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTVIEW added to 
superview INTADMIN. 
 
R1(config-view)# view INTSHUT 
 
*Feb 12 06:35:29.594: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTSHUT added to 
superview INTADMIN. 

While still in the root view, display the available parser views and superviews 
with the show parser view all command. 

 
R1# show parser view all 
Views/SuperViews Present in System: 
 INTVIEW 
 INTSHUT 
 INTADMIN * 
-------(*) represent superview------- 
R1# 

Enter this view and see the available executable commands. 

 
R1# enable view INTADMIN 
Password:  

6 - 7 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7 

Copyright 

© 2007, Cisco Systems, Inc 

background image

 
R1# 
*Feb 12 06:36:31.774: %PARSER-6-VIEW_SWITCH: successfully set to view 
'INTADMIN'. 
R1# ? 
Exec commands: 
  clear      Reset functions 
  configure  Enter configuration mode 
  enable     Turn on privileged commands 
  exit       Exit from the EXEC 
  show       Show running system information’ 

Final Configuration 

 
R1# show run 
hostname R1 

enable secret 5 $1$lETz$132w/UItPj25T6EFwChis1 

aaa new-model 

aaa authentication login default local 

username cisco password 0 cisco 

parser view INTVIEW 
 secret 5 $1$CPI4$HIAH8aEqPztTPW0VLBYT60 
 commands exec include show interfaces 
 commands exec include show 
 commands exec include clear counters 
 commands exec include clear 

parser view INTSHUT 
 secret 5 $1$yeoh$asrBOTkwESSy.0lpCZgG.1 
 commands interface include shutdown 
 commands interface include no shutdown 
 commands interface include no 
 commands configure include interface 
 commands exec include configure terminal 
 commands exec include configure 
 commands configure include interface FastEthernet0/0 
 commands configure include interface FastEthernet0/1 

parser view INTADMIN superview 
 secret 5 $1$QFfM$GUXOqAtkwSTKt1aKuYKdN/ 
 view INTVIEW 
 view INTSHUT 
end 

7 - 7 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-7 

Copyright 

© 2007, Cisco Systems, Inc