LEC 2 - Assigning Administrative Roles.pptx

omnia56798 14 views 27 slides Mar 09, 2025
Slide 1
Slide 1 of 27
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27

About This Presentation

klfjjfkjrojf

Size: 1.77 MB
Language: en
Added: Mar 09, 2025
Slides: 27 pages

Slide Content

Privilege Lab

Privilege Level: Level 0: Predefined for user-level access privileges. Seldom used, but includes five commands: disable , enable , exit , help , and logout . Level 1 : The default level for login with the router prompt Router >. A user cannot make any changes or view the running configuration file. Levels 2 -14 : May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level. Level 15 : Reserved for the enable mode privileges ( enable command). Users can change configurations and view configuration files.

Privilege Level For Router: Router( config )#privilege exec level 5 ping Router( config )#enable secret level 5 123 Router( config )#username Admin1 privilege 5 secret 123 Router( config )#privilege exec level 10 reload Router( config )#enable secret level 10 cisco10 Router( config )#username Admin2 privilege 10 secret 12345 Router( config )#enable secret level 15 cisco15 Router( config )#username Admin3 privilege 15 secret 123456 Router( config )#do wr

Test Configure: Router> en 5 Password: Router#conf t % Invalid input detected at '^' marker . Router> Router> en 10 Password: Router#sh run ^ % Invalid input detected at '^' marker.

Test Configure: Router> en 15 Password: Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router( config )#

Notes: Privilege level 5 cannot reload the router . User enables privilege level 10 which has access to the reload command. However, users at privilege level 10 cannot view the running configuration . User enables privilege level 15 which has full access to view and change the configuration, including viewing the running configuration . User in high level inherits privilege from low level.

Limitations of Privilege Levels: There is no access control to specific interfaces, ports, logical interfaces, and slots on a router. Commands available at lower privilege levels are always executable at higher levels . Commands specifically set at a higher privilege level are not available for lower privileged users . Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to show ip route allows the user access to all show and show ip commands. Note : If an administrator must create a user account that has access to most but not all commands, privilege exec statements need to be configured for every command that must be executed at a privilege level lower than 15.

Role-Based Views

Configure Role-Based Views: In an effort to provide more flexibility than privilege levels allow, Cisco introduced the role-based CLI access feature in Cisco IOS Release 12.3(11)T . This feature provides finer, more granular access by controlling which commands are available to specific roles. Role-based CLI access enables the network administrator to create different views of router configurations for different users . Each view defines the CLI commands that each user can access.

Configure Role-Based Views: Security: defining the set of CLI commands that are accessible by a specific user. Additionally , administrators can control user access to specific ports , logical interfaces , and slots on a router. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access. Availability: Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime. Operational Efficiency: Users only see the CLI commands applicable to the ports and CLI to which they have access . Therefore , the router appears to be less complex, and commands are easier to identify when using the help feature on the device.

Role-Based Views: Root View: To configure any view for the system, the administrator must be in root view . Root view has the same access privileges as a user who has level 15 privileges. However , a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views. CLI View: A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and no higher or lower views . Each view must be assigned all commands associated with that view. A view does not inherit commands from any other view. Additionally , the same commands can be used in multiple views .

Role-Based Views: Superview: A superview consists of one or more CLI views . Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated with that one CLI view.

Role-Based Views:

Role-Based Views:

Role-Based Views: Step 1: Enable AAA with the aaa new-model global configuration mode command. - Exit and enter the root view with the enable view command . Step 2: Create a view using the parser view view-name global configuration mode command. - This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total . Step 3: Assign a secret password to the view using the secret password view configuration mode command. - This sets a password to protect access to the view. The password must be created immediately after creating a view, otherwise, an error message will appear. Step 4: Assign commands to the selected view using the commands parser-mode command in view configuration mode.

Role-Based Views: Step 1: Router# enable [view [view-name]] Step 2: Router( config )# parser view view-name Step 3: Router( config -view)# secret password Step 4: Router( config -view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

Role-Based Views:

Configure Role-Based Views: Router(config)# aaa new-model Router(config )# enable secret 123 Router( config )# end Router#enable view Password: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Create View: Router( config )#parser view showview Router( config -view)#secret cisco1 Router( config -view)# commands exec include show Router( config -view)#parser view verifyview Router( config -view)#%PARSER-6-VIEW_CREATED: view ' verifyview ' successfully created. Router( config -view )#secret cisco2 Router( config -view)#commands exec include ping

Create View: Router( config -view )#parser view rebootview Router( config -view)#%PARSER-6-VIEW_CREATED: view ' rebootview ' successfully created . Router( config -view)#secret cisco3 Router( config -view)#commands exec include reload Router( config -view)#do wr Router( config -view)#do show run

Show enable view privilege Router#enable view showview Password: Router#%PARSER-6-VIEW_SWITCH: successfully set to view ' showview '. Router#? Exec commands: disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC logout Exit from the EXEC show Show running system information

Create SuperView : R2( config )#parser view user superview * Mar 1 00:02:45.615: %PARSER-6-SUPER_VIEW_CREATED: super view 'user' successfully created. R2( config -view )#secret cisco R2( config -view )#view showview *Mar 1 00:21:24.239: %PARSER-6-SUPER_VIEW_EDIT_ADD: view showview added to superview user

Verify Role-Based CLI Views: R2#enable view user Password: R2#? Exec commands: credential load the credential info from file system enable Turn on privileged commands exit Exit from the EXEC show Show running system information R1#show parser view Current view is 'Admin'

27 THANKS! Any questions ? You can find me at: [email protected]
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 14
  • Slides 27
  • Age 282 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
41 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
45 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
40 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
38 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
37 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
39 views
View More in This Category