Introduction
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
Prerequisites
Before you create a view, you must perform the following tasks:
•
Enable AAA via the aaa new-model command.
•Ensure that your system is in root view—not privilege level 15. (command: "enable view" and use the enable password or enable secret)
Configure
Create Role based CLI for usera and userb on Router and link it with users configured on ACS 5.x. Roles are defined in the table
Configuration Information for CLI Views
User Name | Roles |
Usera | Show ip route Show running-configuration |
Userb | Configure-terminal All commands starting with keyword “crypto” |
Configurations
Configure aaa on the router
conf t
aaa new-model
aaa authentication login CONSOLE none
aaa authentication login ACS group tacacs+
aaa authorization exec ACS group tacacs+
line vty 0 4
login authentication ACS
authorization exec ACS
Configure tacacs server
tacacs-server host 192.168.1.1
tacacs-server key cisco
Before enabling view if you are trying to configure this from console after configuring the enable password make sure to exit out and connect to console again. If you do not have authentication configured for console, then you will see this below error message.
%AAA-6-USER_BLOCKED: Enable view requires to be authenticated by non-none methods,Please use the appropriate method with the login authentication.
R2>en
Password:
R2#
R2#enable view
Password:
After enabling view with a password, we can protect the console.
R2(config)#line con 0
R2(config)#login authentication CONSOLE
R2(config)# parser view usera
secret cisco
commands exec include show ip route
commands exec include show running-config
commands exec include show
parser view userb
secret cisco
commands configure include all crypto
commands exec include configure terminal
commands exec include configure
commands exec include all crypto
Add the router as Network device in ACS
create two users and add them to two groups
Create two shell profiles and add a custom attribute cli-view-name for usera and Userb
Map the shell profiles to the two users
Verify
R4#telnet 33.33.4.3
Trying 33.33.4.3 ... Open
username: usera
password:
R3>?
Exec commands:
<1-1> Slot Number
<1-99> Session number to resume
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
-------------------
R4#
R4#telnet 33.33.4.3
Trying 33.33.4.3 ... Open
username: userb
password:
R3>?
Exec commands:
<1-1> Slot Number
<1-99> Session number to resume
configure Enter configuration mode
crypto Encryption related commands.
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R3>conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)>?
Configure commands:
crypto Encryption module
do-exec To run exec commands in config mode
exit Exit from configure mode
R3(config)>crypto ?
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ikev2 Configure IKEv2 Options
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
vpn Configure crypto vpn commands
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
