RBAC - associate user to view confusion

Unanswered Question
Jun 26th, 2009

Attemptiong to associate usernames with specific views once they login.

Views have been successfully created and associated with username, but when the user logs in - they have to enter "ena view xxxx" before the view applies to them.

My understanding from readin the RBAC material is once the user logs in, they would automatically be under the control or into that view mode.


ISR Routers - 1800, 2800, 3800

IOS - Advipservices

Ver - 12.4(22)T

AAA - No ACS, TACACS+, or RADIUS -- just AAA New-Model

What am I missing??

Config Snippet

aaa new-model



aaa authentication login default local

aaa authentication login console local

aaa authentication login vty local

aaa authentication login local_auth local



username nocoper view NOCOPER password 7 045504050031495C49



parser view NOCOPER

secret 5 $1$mUXP$w1Oqpr/rCvkhjcviGfkE8.

commands configure include-exclusive line

commands configure exclude interface

commands exec include configure terminal

commands exec include configure

commands exec include show running-config

commands exec include show

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Thu, 07/02/2009 - 13:53

Users can be associated with a local CLI View by a return attribute from AAA or in local Authentication configuration. For local configuration, the username is configured with an additional view option, which matches the configured parser view name. These example users are configured for the default SDM Views:

username fw-user privilege [privilege-level] view SDM_Firewall

username monitor-user privilege [privilege-level] view SDM_Monitor

username vpn-user privilege [privilege-level] view SDM_EasyVPN_Remote

username sdm-root privilege [privilege-level] view rootUsers who are assigned to a given view can temporarily switch to another view if they have the password for the view that they want to enter. Issue this exec command in order to change views:

enable view view-name

Amadou TOURE Mon, 07/06/2009 - 07:15


You have to add the authorization command :

aaa authorization exec default local

thank you


This Discussion