RE: Role-base CLI

From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Tue Apr 17 2007 - 04:25:29 ART

• Next message: Thomas Perrier: "Re: Looking for Date in RTP"
• Previous message: Victor Cappuccio: "RE: Role-base CLI"
• Maybe in reply to: nhatphuc: "Role-base CLI"
• Next in thread: nhatphuc: "Re: Role-base CLI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ouchhh I am sorry, i did not read your email completely

Here is the router output when configured to login none..

R1#enable view
R1#
*Apr 17 07:26:41.378: %AAA-6-USER_BLOCKED: Enable view requires to be
authenticated by non-none methods,Please use the appropriate method with the
login authentication

Solution
R1#
R1#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#aaa authentication login default local
R1(config)#^Z
R1#
*Apr 17 07:27:16.854: %SYS-5-CONFIG_I: Configured from console by consoleena
R1#enable view
Password:

R1#
*Apr 17 07:27:22.114: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

:)

-----Original Message-----
From: nobody@groupstudy.com on behalf of Victor Cappuccio
Sent: Tue 4/17/2007 0:11
To: nhatphuc; Cisco certification
Subject: RE: Role-base CLI

Hi Phuc,

Role Base System is like configuring a Unix stile in Cisco router ;)

The first thing is to enable aaa
aaa new-model
enables different level of authentication atorization and accounting

from here we need to move into the Root mode and default default password
would be the enable secret password

R1(config)#enable secret cisco
R1(config)#aaa new-model
R1(config)#exit
R1#
*Apr 17 07:05:27.238: %SYS-5-CONFIG_I: Configured from console by cons
R1#enable view
Password:
!PASSWORD HERE IS cisco
R1#
*Apr 17 07:05:34.350: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#
So now we can configure view for different users
(like 15 different view)
using the parser view you can configure other views
monitor or something else
to configure a password to that view use the secret command
and to set the commands available or that view use command

R1#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser ?
% Ambiguous command: "parser "
but you can still complete the command and that would be accepted by the IOS
R1(config)#parser view monitor

R1(config-view)#
*Apr 17 07:09:24.850: %PARSER-6-VIEW_CREATED: view 'monitor' successfully
created.?
View commands:
  commands Configure commands for a view
  default Set a command to its defaults
  exit Exit from view configuration mode
  no Negate a command or set its defaults
  secret Set a secret for the current view

R1(config-view)#secret cisco
R1(config-view)#commands exec ?
  exclude Exclude the command from the view
  include Add command to the view
  include-exclusive Include in this view but exclude from others
R1(config-view)#commands exec include show ver

to get into the view level
R1#enable view monitor
Password:

R1#show ?
  flash: display information about flash: file system
  parser Display parser information
  version System hardware and software status

So only show version is available for this view

R1#show ver | in IOS
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version
12.4(7a), RELEASE SOFTWARE (fc3)

HTH

thanks,
Victor Cappuccio.-
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012

-----Original Message-----
From: nobody@groupstudy.com on behalf of nhatphuc
Sent: Tue 4/17/2007 4:33
To: Cisco certification
Subject: Role-base CLI

Hi Group,

I'm configuring Role-base CLI

My config as follows:

enable password cisco

aaa new-model
aaa authentication login default none
aaa authentication login TELNET group radius
aaa authentication enable default enable

interface GigabitEthernet0/0
 ip address 192.168.1.99 255.255.255.0
 duplex auto
 speed auto
!
radius-server local
  nas 192.168.1.99 key 0 cisco
  group User
    block count 2 time 15
  !
  user user1 pass user1
!
radius-server host 192.168.1.99 auth-port 1812 acct-port 1813 key cisco

line con 0
line aux 0
 transport input telnet
line vty 0 4
 login authentication TELNET

When I enable root view, router says authentication failed although I input
the correct password cisco:

Router#enable view
Password:
% Authentication failed

If I delete these commands:

aaa authentication login default none
aaa authentication login TELNET group radius
aaa authentication enable default enable

I can enable root view using enable password.

How can I configure Role-base CLI together with aaa authentication?

Thanks

Phuc

• Next message: Thomas Perrier: "Re: Looking for Date in RTP"
• Previous message: Victor Cappuccio: "RE: Role-base CLI"
• Maybe in reply to: nhatphuc: "Role-base CLI"
• Next in thread: nhatphuc: "Re: Role-base CLI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:36 ART