Re: Role-base CLI

From: nhatphuc (nhatphuc@gmail.com)
Date: Tue Apr 17 2007 - 23:37:56 ART

• Next message: Joe Yohannan: "RE: Looking for Date in RTP"
• Previous message: Gina Lopez: "security lab study group"
• Maybe in reply to: nhatphuc: "Role-base CLI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Victor,

It works with IOS 12.4(6). But When I try it with 12.4(7a) and 12.4(12),
root view is ok, but the local radius-server doesn't work. I tested by
telnet to router. Can you try this on your router?

Do you know local radius-server 's name in Feature Navigator?

Thanks

Phuc

On 4/18/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
>
>
> Hi Phuc
>
>
> *Apr 17 17:47:54.847: %SYS-5-CONFIG_I: Configured from console by
> consoleonf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> Router(config)#
> Router(config)#
> Router(config)#
> Router(config)#enable password cisco
> Router(config)#!
> Router(config)#aaa new-model
> Router(config)#!
> Router(config)#!
> Router(config)#aaa authentication login default local
> Router(config)#aaa authentication login TELNET group radius
> Router(config)#!
> Router(config)#aaa session-id common
> Router(config)#!
> Router(config)#!
> Router(config)#username phuc password 0 phuc
> Router(config)#
> Router(config)#interface f0/0
> Router(config-if)# ip address 192.168.1.99 255.255.255.0
> Router(config-if)# duplex auto
> Router(config-if)# speed auto
> Router(config-if)#!
> Router(config-if)#ip http server
> Router(config)#no ip http secure-server
> Router(config)#!
> Router(config)#radius-server local
> Router(config-radsrv)# nas 192.168.1.99 key 0 cisco
> Router(config-radsrv)# group User
> Router(config-radsrv-group)# block count 2 time 15
> Router(config-radsrv-group)#$ auth-port 1812 acct-port 1813 key cisco
> Router(config)#!
> Router(config)#control-plane
> Router(config-cp)#!
> Router(config-cp)#line con 0
> Router(config-line)#line aux 0
> Router(config-line)# transport input telnet
> Router(config-line)#line vty 0 4
> Router(config-line)# login authentication TELNET
> Router(config-line)#!
> Router(config-line)#exit
> Router(config)#exit
> Router#enable v
> *Apr 17 17:48:11.095: %SYS-5-CONFIG_I: Configured from console by
> consoleiew
> Password:
>
> Router#
> *Apr 17 17:48:15.183: %PARSER-6-VIEW_SWITCH: successfully set to view
> 'root'.
> Router#
>
> Router#show parser view
> Current view is 'root'
>
> Could be a problem with the IOS Version??
>
> Trying in Another router... from our 20 Racks fully loaded with 2811
> routers running
> Router#show ver | in IOS
> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version
> 12.4(7a), RELEASE SOFTWARE (fc3)
>
> rack8>R2
> Trying r2 (1.1.1.1, 2034)... Open
> Router#conf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> Router(config)#enable password cisco
> Router(config)#!
> Router(config)#aaa new-model
> Router(config)#!
> Router(config)#!
> Router(config)#aaa authentication login default local
> Router(config)#aaa authentication login TELNET group radius
> Router(config)#aaa authentication enable default enable
> Router(config)#!
> Router(config)#^Z
> Router#enable
> *Apr 17 17:48:50.631: %SYS-5-CONFIG_I: Configured from console by
> consoleview
> Router#enable view
> Password:
>
> Router#
> *Apr 17 17:48:57.571: %PARSER-6-VIEW_SWITCH: successfully set to view
> 'root'.
> Router#show parser view
> Current view is 'root'
> Router#
> Router#
> Router#
>
> thanks,
> Victor Cappuccio.-
> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> Cisco Learning credits!
> victor@ccbootcamp.com
> http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> Voice: 702-968-5100
> FAX: 702-446-8012
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of nhatphuc
> Sent: Tue 4/17/2007 9:14
> To: Cisco certification
> Subject: Re: Role-base CLI
>
> Hi Victor,
>
> I change to "aaa authen login default local" and "add aaa authen enable
> default enable", but it doesn't work
>
> This is the output:
>
> Router#sh run
> Building configuration...
>
>
> enable password cisco
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login TELNET group radius
> !
> aaa session-id common
> !
> !
> username phuc password 0 phuc
>
> interface GigabitEthernet0/0
> ip address 192.168.1.99 255.255.255.0
> duplex auto
> speed auto
> !
> ip http server
> no ip http secure-server
> !
> radius-server local
> nas 192.168.1.99 key 0 cisco
> group User
> block count 2 time 15
> !
> user admin nthash 7
> 115B495C34445A5B500E0A70716316033625425153700A7E72012F5439330F0B03
> !
> radius-server host 192.168.1.99 auth-port 1812 acct-port 1813 key cisco
> !
> control-plane
> !
> line con 0
> line aux 0
> transport input telnet
> line vty 0 4
> login authentication TELNET
> !
>
> Router#ena
> Router#enable view
> Password:
> % Authentication failed
>
> Router#enable view
> Password:
> % Authentication failed
>
> Router#conf
> Configuring from terminal, memory, or network [terminal]?
> Enter configuration commands, one per line. End with CNTL/Z.
> Router(config)#ena
> Router(config)#enable sec
> Router(config)#enable secret class
> Router(config)#exit
> Router#enable view
> Password:
> % Authentication failed
>
> Router#conf
> Configuring from terminal, memory, or network [terminal]?
> Enter configuration commands, one per line. End with CNTL/Z.
>
> Router(config)#aaa authentication enable default enable
> Router(config)#exit
>
> Router#enable view
> Password:
> % Authentication failed
>
> Router#enable view
> Password:
> % Authentication failed
>
> Router#sh run
> Building configuration...
>
> Current configuration : 1597 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> no service password-recovery
> !
> hostname Router
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret 5 $1$n.Jd$9jXsiBUhjQm/K8P1PVIBf/
> enable password cisco
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login TELNET group radius
> aaa authentication enable default enable
> !
> aaa session-id common
> !
> username phuc password 0 phuc
> secure boot-image
> secure boot-config
> !
> interface GigabitEthernet0/0
> ip address 192.168.1.99 255.255.255.0
> duplex auto
> speed auto
> !
> interface GigabitEthernet0/1
> ip address 192.168.3.1 255.255.255.0
> no ip unreachables
> duplex auto
> speed auto
> !
> ip http server
> no ip http secure-server
> !
> radius-server local
> nas 192.168.1.99 key 0 cisco
> group User
> block count 2 time 15
> !
> user admin nthash 7
> 115B495C34445A5B500E0A70716316033625425153700A7E72012F5439330F0B03
> !
> radius-server host 192.168.1.99 auth-port 1812 acct-port 1813 key cisco
> !
> line con 0
> line aux 0
> transport input telnet
> line vty 0 4
> login authentication TELNET
> !
>
> Please note that I can enable root view if I only enable aaa using aaa
> new-model command and don't put any aaa authen,... on router
>
> Thanks
>
> Phuc
>
> On 4/17/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
> >
> > Ouchhh I am sorry, i did not read your email completely
> >
> > Here is the router output when configured to login none..
> >
> > R1#enable view
> > R1#
> > *Apr 17 07:26:41.378: %AAA-6-USER_BLOCKED: Enable view requires to be
> > authenticated by non-none methods,Please use the appropriate method with
> the
> > login authentication
> >
> > Solution
> > R1#
> > R1#conf ter
> > Enter configuration commands, one per line. End with CNTL/Z.
> > R1(config)#aaa authentication login default local
> > R1(config)#^Z
> > R1#
> > *Apr 17 07:27:16.854: %SYS-5-CONFIG_I: Configured from console by
> > consoleena
> > R1#enable view
> > Password:
> >
> > R1#
> > *Apr 17 07:27:22.114: %PARSER-6-VIEW_SWITCH: successfully set to view
> > 'root'.
> >
> > :)
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com on behalf of Victor Cappuccio
> > Sent: Tue 4/17/2007 0:11
> > To: nhatphuc; Cisco certification
> > Subject: RE: Role-base CLI
> >
> > Hi Phuc,
> >
> > Role Base System is like configuring a Unix stile in Cisco router ;)
> >
> > The first thing is to enable aaa
> > aaa new-model
> > enables different level of authentication atorization and accounting
> >
> > from here we need to move into the Root mode and default default
> password
> > would be the enable secret password
> >
> >
> > R1(config)#enable secret cisco
> > R1(config)#aaa new-model
> > R1(config)#exit
> > R1#
> > *Apr 17 07:05:27.238: %SYS-5-CONFIG_I: Configured from console by cons
> > R1#enable view
> > Password:
> > !PASSWORD HERE IS cisco
> > R1#
> > *Apr 17 07:05:34.350: %PARSER-6-VIEW_SWITCH: successfully set to view
> > 'root'.
> > R1#
> > So now we can configure view for different users
> > (like 15 different view)
> > using the parser view you can configure other views
> > monitor or something else
> > to configure a password to that view use the secret command
> > and to set the commands available or that view use command
> >
> > R1#conf ter
> > Enter configuration commands, one per line. End with CNTL/Z.
> > R1(config)#parser ?
> > % Ambiguous command: "parser "
> > but you can still complete the command and that would be accepted by the
> > IOS
> > R1(config)#parser view monitor
> >
> > R1(config-view)#
> > *Apr 17 07:09:24.850: %PARSER-6-VIEW_CREATED: view 'monitor'
> successfully
> > created.?
> > View commands:
> > commands Configure commands for a view
> > default Set a command to its defaults
> > exit Exit from view configuration mode
> > no Negate a command or set its defaults
> > secret Set a secret for the current view
> >
> > R1(config-view)#secret cisco
> > R1(config-view)#commands exec ?
> > exclude Exclude the command from the view
> > include Add command to the view
> > include-exclusive Include in this view but exclude from others
> > R1(config-view)#commands exec include show ver
> >
> >
> > to get into the view level
> > R1#enable view monitor
> > Password:
> >
> > R1#show ?
> > flash: display information about flash: file system
> > parser Display parser information
> > version System hardware and software status
> >
> > So only show version is available for this view
> >
> > R1#show ver | in IOS
> > Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version
> > 12.4(7a), RELEASE SOFTWARE (fc3)
> >
> > HTH
> >
> >
> > thanks,
> > Victor Cappuccio.-
> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> > Cisco Learning credits!
> > victor@ccbootcamp.com
> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> > Voice: 702-968-5100
> > FAX: 702-446-8012
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com on behalf of nhatphuc
> > Sent: Tue 4/17/2007 4:33
> > To: Cisco certification
> > Subject: Role-base CLI
> >
> > Hi Group,
> >
> > I'm configuring Role-base CLI
> >
> > My config as follows:
> >
> > enable password cisco
> >
> > aaa new-model
> > aaa authentication login default none
> > aaa authentication login TELNET group radius
> > aaa authentication enable default enable
> >
> > interface GigabitEthernet0/0
> > ip address 192.168.1.99 255.255.255.0
> > duplex auto
> > speed auto
> > !
> > radius-server local
> > nas 192.168.1.99 key 0 cisco
> > group User
> > block count 2 time 15
> > !
> > user user1 pass user1
> > !
> > radius-server host 192.168.1.99 auth-port 1812 acct-port 1813 key cisco
> >
> > line con 0
> > line aux 0
> > transport input telnet
> > line vty 0 4
> > login authentication TELNET
> >
> > When I enable root view, router says authentication failed although I
> > input
> > the correct password cisco:
> >
> > Router#enable view
> > Password:
> > % Authentication failed
> >
> > If I delete these commands:
> >
> > aaa authentication login default none
> > aaa authentication login TELNET group radius
> > aaa authentication enable default enable
> >
> > I can enable root view using enable password.
> >
> > How can I configure Role-base CLI together with aaa authentication?
> >
> > Thanks
> >
> > Phuc
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joe Yohannan: "RE: Looking for Date in RTP"
• Previous message: Gina Lopez: "security lab study group"
• Maybe in reply to: nhatphuc: "Role-base CLI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:36 ART