Role based access control for CLI allows us to set up a very granular permissions for user accounts. We can have a role called NOC that will have right to use only selected show commands. Or we could have a role for Junior Engineers that will allow them to configure only certain aspects of the device like interface descriptions.
Before we can configure specific views, we need to enable aaa and configure enable password:
aaa-new model
enable secret cisco
After that we can enter the root view to confirm parser views are enabled:
R1#enable view
Password:
R1#sh parser view
Current view is 'root'
Now, let's get straight to it and configure our first role. This role will be called NOC and it will allow users to clear counters as well as issue the below show commands:
- show ip interface [interface int-number]
- show ip interface brief
- show interfaces [interface int-number]
- show interfaces description
- show ip bgp summary
No other permissions will be granted to this role.
parser view NOC
secret cisco
commands exec include show interface brief
commands exec include show interfaces description
commands exec include configure terminal
commands exec include show ip bgp summary
Note that "include exec show interfaces brief" will enable both "sh ip int [int x/y]" and "sh ip int brief". Same applies to other show commands, they will enable commands that include part of the command we added, e.g. "sh ip bgp", "sh int [int x/y]" and so on.
After we created the view, it's time to test it:
R1#enable view NOC
Password:
R1#?
Exec commands:
clear Reset functions
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
banner Display banner information
bootflash: display information about bootflash: file system
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Display parser information
R1#show interfaces g1
GigabitEthernet1 is up, line protocol is up
...
R1#sh interfaces desc
Interface Status Protocol Description
Gi1 up up
Gi2 up up
Gi3 up up
R1#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.1.1.20 YES NVRAM up up
GigabitEthernet2 10.1.255.1 YES manual up up
GigabitEthernet3 223.255.255.1 YES NVRAM up up
R1#sh ip bgp ?
A.B.C.D Network in the BGP routing table to display
A.B.C.D/nn IP prefix <network>/<length>, e.g., 35.0.0.0/8
summary Summary of BGP neighbor status
| Output modifiers
R1#sh ip bgp | b Net
Network Next Hop Metric LocPrf Weight Path
*> 10.2.0.0/24 10.1.255.2 0 0 2 ?
*> 10.2.1.0/24 10.1.255.2 0 0 2 ?
*> 10.2.2.0/24 10.1.255.2 0 0 2 ?
*> 10.2.3.0/24 10.1.255.2 0 0 2 ?
R1#sh ip bgp sum | b Ne
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.255.2 4 2 35 32 11 0 0 00:25:59 4
Great, our view is working as intended. We are only allowed to use predefined commands and nothing else.
Let's now configure a role with some configuration permissions. We will call this role JUNIOR and we want users assigned to this role to configure the following items:
- interface description and ip address on interfaces Gi2 and Gi3
- static routes
We also want to allow these users to be able shut/unshut interfaces Gi2, Gi3, and see running-config, but only for the items they have rights to configure.
parser view JUNIOR
secret cisco
commands exec include configure terminal
commands exec include show running-config
commands configure include interface Gi2
commands configure include interface Gi3
commands configure ip route
commands interface include ip address
commands interface include description
commands interface include shut
Time to test this role:
R1#enable view JUNIOR
Password:
R1#?
Exec commands:
configure Enter configuration mode
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#?
Configure commands:
do-exec To run exec commands in config mode
end Exit from configure mode
exit Exit from configure mode
interface Select an interface to configure
ip Global IP configuration subcommands
! Not allowed to configure Gi1
R1(config)#interface g1
^
% Invalid input detected at '^' marker.
R1(config)#interface g3
R1(config-if)#?
Interface configuration commands:
description Interface specific description
exit Exit from interface configuration mode
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
shutdown Shutdown the selected interface
R1(config-if)#description JUNIOR was here
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)exit
R1(config)#ip route 10.10.1.0 255.255.255.0 10.1.255.2
R1(config-if)end
! We are only allowed to see items we have rights to configure
R1#sh running-config
Building configuration...
...
interface GigabitEthernet2
description TEST
ip address 10.1.255.1 255.255.255.0
!
interface GigabitEthernet3
description JUNIOR was here
ip address 192.168.1.1 255.255.255.0
!
ip route 10.10.1.0 255.255.255.0 10.1.255.2
!
end
You can see here that it's possible to allow configuration of specified interfaces only, and further narrow it down to only a few items. Output of "show running-config" contains only the bits that we have right to configure, and nothing else.
We will now configure an ADMIN role that will include permissions from both, NOC and JUNIOR, roles.
parser view ADMIN superview
secret cisco
view NOC
view JUNIOR
That's it, we created a "superview" role and added NOC and JUNIOR views to it. This is a very handy way of defining roles that group together permissions from other views.
R1#enable view ADMIN
Password:
R1#sh parser view
Current view is 'ADMIN'
R1#?
Exec commands:
clear Reset functions
configure Enter configuration mode
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
banner Display banner information
bootflash: display information about bootflash: file system
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Display parser information
running-config Current operating configuration
R1(config)#?
Configure commands:
do-exec To run exec commands in config mode
end Exit from configure mode
exit Exit from configure mode
interface Select an interface to configure
ip Global IP configuration subcommands
All looking good, view ADMIN inherited permissions from NOC and JUNIOR views.
With views defined it would be good to have those automatically assigned to users logging into the device.
username noc view NOC secret cisco
username admin view ADMIN secret cisco
aaa authentication login default local
aaa authorization exec default local
line vty 0 4
login authentication default
Both "aaa authentication login" and "aaa authorization exec" commands are required to make views work for remote users.
We will telnet from another device to confirm if views are correctly assigned to users.
<b>! NOC view test</b>
R2#telnet 10.1.1.20
Trying 10.1.1.20 ... Open
User Access Verification
Username: noc
Password:
R1>sh ?
banner Display banner information
bootflash: display information about bootflash: file system
flash: display information about flash: file system
ip IP information
parser Display parser information
R1>sh parser view
Current view is 'NOC'
R1>sh ip bgp sum | b Ne
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.255.2 4 2 108 103 11 0 0 01:31:32 4
R1>sh ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.1.1.20 YES NVRAM up up
GigabitEthernet2 10.1.255.1 YES manual up up
GigabitEthernet3 192.168.1.1 YES manual up up
<b>! ADMIN view test</b>
R1>exit
[Connection to 10.1.1.20 closed by foreign host]
R2#telnet 10.1.1.20
Trying 10.1.1.20 ... Open
User Access Verification
Username: admin
Password:
R1>sh parser view
Current view is 'ADMIN'
R1>?
Exec commands:
<1-99> Session number to resume
clear Reset functions
configure Enter configuration mode
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1>configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)>interface g3
R1(config-if)>description Admin takes over
R1(config-if)>end
R1>sh int desc
Interface Status Protocol Description
Gi1 up up
Gi2 up up TEST
Gi3 up up Admin takes over
R1>sh run
Building configuration...
…
interface GigabitEthernet2
description TEST
ip address 10.1.255.1 255.255.255.0
!
interface GigabitEthernet3
description Admin takes over
ip address 192.168.1.1 255.255.255.0
!
ip route 10.10.1.0 255.255.255.0 10.1.255.2
!
end
As we can see in the above output, views are correctly assigned to users after they logged in and all permissions are still in place.
Role based access control is a very useful feature that can help us define granular permissions for user groups, and automatically assign those groups to particular users upon log in. This can be particularly handy for defining views for NOC and Junior engineers where number of commands shouldn't be too excessive. This can also show up on the CCIE Lab so it's good to know what needs to be enabled in order to configure this feature.