Scribd
Upload
8 views32 pages

Network Security v1.0 - Module 5-1

Uploaded by

mohamedo11205
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views32 pages

Network Security v1.0 - Module 5-1

Uploaded by

mohamedo11205
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Module 5: Assigning

Administrative Roles

Instructor Materials

Networking Security v1.0


(NETSEC)
Module Objectives
Module Title: Assigning Administrative Roles

Module Objective: Configure command authorization using privilege levels and role-based CLI.

Topic Title Topic Objective


Use the correct commands to configure
Configure Privilege Levels administrative privilege levels to control command
availability.
Use the correct commands to configure role-
Configure Role-Based CLI
based CLI access to control command availability.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
5.1 Configure Privilege Levels

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Privilege Levels
• Level 0:
– Predefined for user-level access privileges.
– Seldom used, but includes five commands: disable, enable, exit, help,
and logout.
• Level 1(User EXEC mode):
– The default level for login with the router prompt Router>.
– A user cannot make any changes or view the running configuration file.
• Levels 2 –14:
– May be customized for user-level privileges.
– Commands from lower levels may be moved up to a higher level, or commands
from higher levels may be moved down to a lower level.
• Level 15 (Privileged EXEC mode):
– Reserved for the enable mode privileges (enable command).
– Users can view and change all aspects of the configuration.
Configure Privilege Levels
Limiting Command Availability
Cisco IOS software can provide infrastructure access using privilege level or role-based CLI.
• By default, the Cisco IOS software CLI has two levels of access to commands.
• User EXEC mode (privilege level 1), and Privileged EXEC mode (privilege level 15).
• There are 16 privilege levels in total.

To assign commands to a custom privilege level, use the privilege mode {level level | reset}
command global configuration mode command.
Command Description
mode Specifies the configuration mode. Use the privilege ? command to see a complete list of router
configuration modes available on your router.
level (Optional) Enables setting a privilege level with a specified command.
level (Optional) The privilege level that is associated with a command. You can specify up to 16 privilege
levels, using numbers 0 to 15.
reset (Optional) Resets the privilege level of a command.
command (Optional) Argument to use when you want to reset the privilege level.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Configure Privilege Levels
Configuring and Assigning Privilege Levels
Router(config)# privilege mode {level
To configure a privilege level with specific level | reset} command
commands, use the privilege exec level level
[command] global configuration command. Exec Exec mode
interface Interface configuration mode
There are two methods for assigning Line Line configuration mode
passwords to the different privilege levels: Router Router configuration mode
• To assign a privilege level to a specific
user, use the username name Router(config)# username name privilege
privilege level secret password global level secret password
configuration mode command.
• To assign a privilege level to a specific
EXEC mode, use the enable secret
Router(config)# enable secret level
level level password global level password
configuration mode command.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Configuring and Assigning Privilege Levels
Router Privilege Levels
• The administrator tests the accounts and logs in as the Level 1 user.

– Usernames are not case-sensitive by default.


– Notice the prompt indicates Level 1 (R1>).
– The ping command which is typically available
from Level 1 is no longer available.
User Access Verification

Username: user
Password: <cisco>
R1> show privilege
Current privilege level is 1
R1> ping 10.10.10.1
^
% Invalid input detected at '^' marker.

R1>
Router Privilege Levels
• The administrator now verifies the Level 5 access.
– The enable level command is used to switch from Level 1 to Level 5.
– Notice now the user can ping but cannot use the reload command.

R1> enable 5
Password:<cisco5>
R1#
R1# show privilege
Current privilege level is 5
R1#
R1# ping 10.10.10.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
R1# reload
Translating "reload"

Translating "reload"

% Unknown command or computer name, or unable to find computer address


R1#
Router Privilege Levels
• The administrator now verifies the Level 10 access.
– Again, the enable level command is used to switch from Level 5 to Level 10.
– Notice now the ping command and reload command are available however, the
show running-config command is not.
R1# enable 10
Password:<cisco10>
R1# show privilege
Current privilege level is 10
R1# ping 10.10.10.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1# reload

System configuration has been modified. Save? [yes/no]: ^C


R1# show running-config
^
% Invalid input detected at '^' marker.
R1#
Router Privilege Levels
• Finally, the administrator verifies the privileged EXEC Level 15 access.
– Again, the enable level command is used to switch from Level 10 to Level 15.
– Now all commands are available.

R1# enable 15
Password: <cisco123>
R1# show privilege
Current privilege level is 15
R1# show running-config
Building configuration...

Current configuration : 1145 bytes


!
version 12.4

<output omitted>
Configure Privilege Levels
Limitations of Privilege Levels
The use of privilege levels has its limitations:

• There is no access control to specific interfaces, ports, logical interfaces, and


slots on a router.
• Commands available at lower privilege levels are always executable at higher
levels.
• Commands specifically set at a higher privilege level are not available for lower
privileged users.
• Assigning a command with multiple keywords allows access to all commands
that use those keywords. For example, allowing access to show ip route
allows the user access to all show and show ip commands.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
5.2 Configure Role-Based CLI

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Configure Role-Based CLI
Role-Based CLI Access

The Cisco IOS Release 12.3(11)T feature provides finer, more granular access by
controlling which commands are available to specific roles.

Role-based CLI access enables the network administrator to create different views of
router configurations for different users.

Role-based CLI access enables the network administrator to create different views of
router configurations for different users.

Each view defines the CLI commands that each user can access.

It addresses security, availability, and operational efficiency.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Role-Based Views
Configure Role-Based CLI
Role-Based Views
Role-based CLI provides three types of views that dictate which commands are available:
• Root View -To configure any view for the system, the administrator must be in root view.
• CLI View - A specific set of commands can be bundled into a CLI view.
• Superview - A superview consists of one or more CLI views.

Superviews have several specific characteristics:


• A single CLI view can be shared within multiple superviews.
• Commands cannot be configured for a superview. An administrator must add commands to
the CLI view and add that CLI view to the superview.
• Users who are logged into a superview can access all the commands that are configured
for any of the CLI views that are part of the superview.
• Each superview has a password that is used to switch between superviews or from a CLI
view to a superview.
• Deleting a superview does not delete the associated CLI views. The CLI views remain
available to be assigned to another superview.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Configure Role-Based CLI
Configure Role-Based Views

There are five steps to create and manage a specific view.

Step 1. Enable AAA with the aaa new-


model global configuration mode
command. Exit and enter the root view Router# aaa new-model
Router# enable [view [view-name]]
with the enable view command.

Step 2. Create a view using the parser


Router(config)# parser view view-name
view view-name global configuration
mode command. This enables the view
configuration mode.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Configure Role-Based CLI
Configure Role-Based Views (Cont.)

Step 3. Assign a secret password to the


Router(config-view)# secret password
view using the secret password view
configuration mode command.

Step 4. Assign commands to the selected Router(config-view)# commands parser-


view using the commands parser-mode mode {include | include-exclusive |
command in view configuration mode. exclude} [all] [interface interface-
name | command]

Step 5. Exit view configuration mode by


typing the exit command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Configure Role-Based CLI
Configure Role-Based Views (Cont.)
Below is a list of commands and the description.
Commands Description
commands Adds commands or interfaces to a view.
parser-mode The mode in which the specified command exists; for example, EXEC mode.
include Adds a command or an interface to the view and allows the same command or interface to
be added to other views.
include-exclusive Adds a command or an interface to the view and excludes the same command or interface
from being added to all other views.
exclude Excludes a command or an interface from the view.
All A "wildcard" that allows every command in a specified configuration mode that begins with
the same keyword or every subinterface for a specified interface to be part of the view.
interface Interface that is added to the view.
interface-name
command Command that is added to the view.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Another Sample Config
R1(config)# parser view SHOWVIEW
*Mar 1 09:54:54.873: %PARSER-6-VIEW_CREATED: view ‘SHOWVIEW' successfully created.
R1(config-view)# secret cisco
R1(config-view)# commands exec include show version
R1(config-view)# exit
R1(config)# parser view VERIFYVIEW
*Mar 1 09:55:24.813: %PARSER-6-VIEW_CREATED: view ‘VERIFYVIEW' successfully
created.
R1(config-view)# commands exec include ping
% Password not set for the view VERIFYVIEW
R1(config-view)# secret cisco5
R1(config-view)# commands exec include ping
R1(config-view)# exit
R1(config)# parser view REBOOTVIEW
R1(config-view)#
*Mar 1 09:55:52.297: %PARSER-6-VIEW_CREATED: view ‘REBOOTVIEW' successfully
created.
R1(config-view)# secret cisco10
R1(config-view)# commands exec include reload
R1(config-view)# exit
Configure Role-Based CLI
Lab – Configure Administrative Roles
In this lab, you will complete the following objectives:
• Part 1: Configure basic device settings.
• Part 2: Configure administrative roles.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Configure Role-Based CLI
Configure Role-Based CLI Superviews

The steps to configure a superview are essentially the same as configuring a CLI view, except
that the view view-name command is used to assign commands to the superview.

Step 1. Create a view using the parser view Router(config)# parser view view-name
view-name superview command and enter superview
superview configuration mode.

Step 2. Assign a secret password to the view


using the secret password command. This sets a Router(config-view)# secret password
password to protect access to the superview.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Configure Role-Based CLI
Configure Role-Based CLI Superviews (Cont.)

Step 3. Assign an existing view using


the view view-name command in view Router(config-view)# view view-name
configuration mode. This adds a CLI
view to superview.

Step 4. Exit superview configuration


mode by typing the exit command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Configure Views
R1(config)# parser view USER superview
* Mar 1 09:56:26.465 : %PARSER-6-SUPER_VIEW_CREATED: super view 'USER' successfully created.
R1(config-view)# secret cisco
R1(config-view)# view SHOWVIEW
*Mar 1 09:56:33.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview USER.
R1(config-view)# exit
R1(config)# parser view SUPPORT superview
*Mar 1 09:57:33.825 : %PARSER-6-SUPER_VIEW_CREATED: super view 'SUPPORT' successfully
created.
R1(config-view)# secret cisco1
R1(config-view)# view SHOWVIEW
*Mar 1 09:57:45.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview
SUPPORT.
R1(config-view)# view VERIFYVIEW
*Mar 1 09:57:57.077: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview
SUPPORT.
R1(config-view)# exit
R1(config)# parser view JR-ADMIN superview
*Mar 1 09:58:09.993: %PARSER-6-SUPER_VIEW_CREATED: super view 'JR-ADMIN' successfully
created.
R1(config-view)# secret cisco2
R1(config-view)# view SHOWVIEW
*Mar 1 09:58:26.973: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview JR-
ADMIN.
R1(config-view)# view VERIFYVIEW
*Mar 1 09:58:31.817: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview JR-
ADMIN.
R1(config-view)# view REBOOTVIEW
*Mar 1 09:58:39.669: %PARSER-6-SUPER_VIEW_EDIT_ADD: view REBOOTVIEW added to superview JR-
ADMIN.
R1(config-view)# exit
Configure Role-Based CLI
Verify Role-Based CLI Views
To verify a view, use the enable view view-name command. Enter the name of the view to verify
and provide the password to log into the view. Use the question mark (?) command to verify that
the commands available in the view are correct. The example enables the USER superview and
lists the commands available in the view.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Configure Role-Based CLI
Verify Role-Based CLI Views (Cont.)
The example below enables the SUPPORT superview and lists the commands available in the
view.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Configure Role-Based CLI
Verify Role-Based CLI Views (Cont.)
This example enables the JR-ADMIN view and lists the commands available in the view.

By not specifying a view for the enable view command, you can log in as root. From the root
view, use the show parser view all command to see a summary of all views.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
5.3 Assign Administrative
Roles Summary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Assign Administrative Roles Summary
What Did I Learn in this Module?
• IOS software supports two infrastructure access methods: privilege level and role-
based CLI.
• By default, there is User EXEC mode (privilege level 1) and Privileged EXEC mode
(level 15).
• The higher the privilege level, the more router access a user has.
• To assign a command to a privilege level, use the privilege exec level level
[command].
• Use the username command to assign a privilege level to a specific user or use the
enable secret command to assign a privilege level to a specific EXEC mode
password.
• Privilege levels has limitations therefore use the Cisco role-based CLI access
feature.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Assign Administrative Roles Summary
What Did I Learn in this Module?
• Role-based CLI creates different views of router configurations for different users.
• Role-based Root view has level 15 privileges but can configure or modify views.
• Views can contain the same commands and there is no command hierarchy.
• To create a view, AAA must be enabled using the aaa new-model command.
• To enter root view, use the enable view root command and the enable secret
password.
• Create a view using the parser view view-name global config mode command.
• Assign the view a password using the secret password command.
• Assign commands to the view using the commands parser-mode command.
• A superview allows a network administrator to combine multiple views together.
• Add views to a superview using the view view-name command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Assign Administrative Roles Summary
New Terms and Commands
• User EXEC mode
• Privileged EXEC mode
• Privilege levels
• Role-Based CLI Access
• Views
• Superviews

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

You might also like