|
sama
25 posts
 |
Hello I read about the Role Base CLI access feature.. I have a question: when I define a view or super view, so that I use this command: Router(config-view)# command exec exclude password so that I prevent the user from changing any password ( telnet, enable to enter privilege mode etc...) how could I assign the user to use this view ( when he telnet to the router, he just enter that view directly )?? is the user is capable of using all other commands except "password"?? Note: when I use my lab time here, & try to save my configs, the session is disconnected immediately.. any suggestions? |
|
joshlowe
94 posts
 |
Hi Sama, Changing passwords is a configure level task, so you would use something like: commands exec include all show commands exec include all configure commands configure exclude enable commands configure exclude username commands line exclude password The first two lines allow you to use all the show commands, and also change any configurations on the router. By default, views have an implicit "deny any" at the end (like ACLs) that deny any commands you don't specifically allow, so these first two commands are necessary in most cases. Obviously you would need to tweak this depending on the scenario. The last three commands prevent the user from changing the enable password, enable secret password, passwords associated with user accounts, and any password configure on console, AUX, VTY, TTY etc. That's probably all of the password, but I may have forgotten one. To apply to a specific user, you can try: username johndoe view view1 password cisco123 This should associate the view named "view1" with the user "johndoe". Of course you sitll have to configure the authentication/authorization on the appropriate lines. HTH. Josh |
|
sama
25 posts
|
Hello Josh Thanks a lot for your clarifications. so helpful for me. When I read your replay, I was in the Lab., working in a router, so I applied all what you said. But, when I log in ( using the username & Password ) that I specified, I could view & use all the commands. I repeated the steps, & applied the " aaa new-model " command (from the beginning ), but the same result. what I'm doing wrong? I read in a post in an archive of another forum the following: "Creating views and restricting users to be bound to that specific view only is "Authorization". You should have "authorization exec local" command issued in desired lines (vty or con lines)" what this means? plz. help me |
|
sama
25 posts
|
Hello Josh is this a correct answer to my question, I find it accidentally ?Router_CMD(config)# aaa new-model Router_CMD(config)# end Before we enter the second step, let’s we firstly configure the username for super admin and the privilege mode’s password: Router_CMD(config)# username SuperAdmin privilege 15 secret Cisco Router_CMD(config)# enable secret Cisco2009 we apply this username into both our console line and virtual terminal line: Router_CMD(config)# aaa authentication login default local Router_CMD(config)# line console 0 Router_CMD(config-line)# login authentication default Router_CMD(config-line)# exit Router_CMD(config)# line vty 0 4 Router_CMD(config-line)# login authentication default Router_CMD(config-line)# exit |
Viewing 1 - 4 of 4
- 1