www.m00nie.com

Role Based CLI access to Cisco IOS using Views

moonie -

Just having a play around with role based access and "views". Not a feature I've used much in production. Below we will configure a view that only allows the use of the show interface commands. Then we will configure a use that when logging in via telnet or ssh will auto enable into the restricted view.
More info can be found [here] (Cisco.com). This feature was first added in 12.3(7)T.

First off we enable the root view. Other views can only be created/changed from inside the root view.

m00nies-router(config)#aaa new-model
m00nies-router(config)#enable secret lalala
m00nies-router(config)#^Z
m00nies-router#disable
m00nies-route>enable view
*Mar  1 00:06:41.363: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Now we are in the "root view" we can create the new view called INTONLY.

m00nies-router#conf t
m00nies-router(config)#parser view INTONLY
*Mar  1 00:07:59.527: %PARSER-6-VIEW_CREATED: view 'INTONLY' successfully created.

Now we create an enable pass for this specific view and add the commands we want. Unless specifically configured commands are excluded from the view.

m00nies-router(config-view)#secret INTONLYPASS
m00nies-router(config-view)#commands exec include show interface

Now we configure ssh and the aaa config needed.

m00nies-router(config)#exit
m00nies-router(config)#ip domain name m00nie.com
m00nies-router(config)#crypto key generate rsa
m00nies-router(config)#aaa authorization exec default local
m00nies-router(config)#aaa authentication login default local enable
m00nies-router(config)#aaa authorization exec default local

INTGUY user is restricted to the INTONLY view and test will be out default user for other access.

m00nies-router(config)#username INTGUY view INTONLY password 0 INTGUY
m00nies-router(config)#username test password 0 test
m00nies-router(config)#^Z

Now from a host we can ssh straight into the INTONLY view using the INTGUY account info. See how all commands apart from show interface fail.

m00nie@linux:~$ ssh INTGUY@m00nies-router

Password:

m00nies-router#show parser view
Current view is 'INTONLY'

m00nies-router#?
Exec commands:
<1-99>  Session number to resume
enable  Turn on privileged commands
exit    Exit from the EXEC
show    Show running system information

m00nies-router#show ?
flash:  display information about flash: file system
parser  Display parser information
slot0:  display information about slot0: file system
slot1:  display information about slot1: file system

m00nies-router#show run
^
% Invalid input detected at '^' marker.

m00nies-router# conf t
^
% Invalid input detected at '^' marker.
m00nies-router#ping 192.168.1.2
^
% Invalid input detected at '^' marker.

m00nies-router#show int
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is cc00.1300.0000 (bia cc00.1300.0000)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
...
0 output buffer failures, 0 output buffers swapped out
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 10.10.10.10/8
...
0 output buffer failures, 0 output buffers swapped out

Views can also be made up of multiple views and by reusing other views. These are configured by using the superview command like so

m00nies-router>enable view
m00nies-router#conf t
m00nies-router(config)#parser view lol superview
*Mar  1 01:21:19.643: %PARSER-6-SUPER_VIEW_CREATED: super view 'lol' successfully created.
m00nies-router(config-view)#secret lol
m00nies-router(config-view)#view INTONLY
*Mar  1 01:21:51.635: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTONLY added to superview lol.

Maybe not quite tacacs+ authorization but another useful tool to have for some circumstances.

m00nie :)