cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13846
Views
10
Helpful
3
Comments
Kureli Sankar
Cisco Employee
Cisco Employee

 

 

Documentation

 

This  configuration example is meant to be interpreted with the aid of the  official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli.html#wp1056582

 

Prerequisites

 

Before you create a view, you must perform the following tasks:

 

Enable AAA via the aaa new-model command.

 

Ensure that your system is in root view—not privilege level 15. (command: "enable view" and use the enable password or enable secret)

 

 

Goal

The goad is to enable per-user-level access restriction based on each person’s role and function within the organization.  This feature is very useful when you want to delegate varying responsibilities to different user groups within the organization.

 

We will create two roles:

a. network operator (netop)

b. security operator (secop)

 

For example, managing and configuring routing protocols and infrastructure configuration should be assigned to the network operations team. Managing the VPN, IOS firewall, and AAA functionality should be assigned to the security operations team. We will be configuring R2 and the ACS server in order to accomplish this.

 

Topology

topology.jpg

Assumption

This excercise will assume that  all routing is in place and there is proper route from the  192.168.2.0/24 to the 192.168.4.0/24 network. Make sure you can ping  end to end. We will also assume that the firewall has been properly configured with translation and permission to allow all the necessary traffic to and from the users, routers to the ACS server.

 

Step by Step Configuration (R2)

Configure aaa on the router

conf t

aaa new-model

aaa authentication login FREE none

aaa authentication login TACACS-GRP group tacacs+

aaa authorization exec TACACS-GRP group tacacs+

 

 

line vty 0 4

login authentication TACACS-GRP

authorization exec TACACS-GRP

 

enable password cisco

 

Configure tacacs server

tacacs-server host 192.168.2.14

tacacs-server key cisco

 

Enable view and configure netop and secop view - also protect the console

 

Before enabling view if you are trying to configure this from console after configuring the enable password make sure to exit out and connect to

console again. If you do not have authentication configured for console, then you will see this below error message.

 

%AAA-6-USER_BLOCKED: Enable view requires to be authenticated by non-none methods,Please use the appropriate method with the login authentication.

 

R2>en
Password:
R2#
R2#enab view
Password:

 

After enabling view with a password then, we can protect the console.

 

R2(config)#line con 0

R2(config)#login authentication FREE

 

 

R2(config)# parser view netop
secret cisco
commands configure include all ip route
commands configure include all router
commands configure include all interface
commands configure include ip
commands exec include configure terminal
commands exec include configure
commands exec include all show

 

netop: will be able to configure the following:

1. dynamic routing protocol

2. static routes

3. apply interface specific commands

4. execute any show commands

 

parser view secop
secret 5 $1$BLsw$UjHivthLFLACo9ClKXi46/
commands configure include all radius-server
commands configure include all tacacs-server
commands configure include all interface
commands configure include all zone-pair
commands configure include all zone
commands configure include all policy-map
commands configure include all class-map
commands configure include ip inspect
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands exec include configure terminal
commands exec include configure
commands exec include all show

 

secop: will be able to configure the following:

1. all VPN related configuration (crypto)

2. all AAA, CBAC and ZBF configuration

3. all TACACS or RADIUS parameters configuration

4. apply interface specific commands

5. execute any show commands

 

Configure the ACS server

create R2 as a AAA client on the ACS server

R2-aaa-client.jpg

 

enable per user TACACS+/RADIUS attributes under the interface configuration

Interface-config-advance-option-enable-per-user-attrib.jpg

enable "shell exec" for user under interface configuration >> TACACS+ (Cisco IOS)

Make sure to select "Display a window for each service selected.." or you will not see the "customer attribute" box in the 'user setup' screen shot.

interface-config-per-user-tacacs.jpg
create the two users netop and secop

We can add them to a separate group called Role-Based CLI group (this is optional)

users-in-RBAC.jpg

 

Configure each user separately and connect them to the respective views configured on the router

netop - Tie it to the view (netop) that we created on the router
netop-setup-acs.jpg
secop - Tie it to the view (secop) that we created on the router

 

secop-setup-acs.jpg

Apply authentication and authorization to line vty

line vty 0 4

authorization exec TACACS-GRP
login authentication TACACS-GRP

 

 

Test from the Router R2

R2#  test aaa group tacacs+ netop netop leg
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

 

R2#  test aaa group tacacs+ secop secop leg
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.

 

Final Configuration Section:

enable password cisco
!
aaa new-model
!
!
aaa authentication login TACACS-GRP group tacacs+
aaa authentication login FREE none
aaa authorization exec TACACS-GRP group tacacs+

!

line con 0
exec-timeout 0 0
password cisco
logging synchronous
login authentication FREE
!
line vty 0 3
exec-timeout 0 0
password cisco
authorization exec TACACS-GRP
logging synchronous
login authentication TACACS-GRP
transport input telnet
line vty 4
exec-timeout 0 0
password cisco
authorization exec TACACS-GRP
logging synchronous
login authentication TACACS-GRP
transport input telnet

!

parser view netop
secret 5 $1$VN8q$A4X5YI35YsGxdKOMihLBN/
commands configure include all ip route
commands configure include all router
commands configure include all interface
commands configure include ip
commands exec include configure terminal
commands exec include configure
commands exec include all show
!
parser view secop
secret 5 $1$BLsw$UjHivthLFLACo9ClKXi46/
commands configure include all radius-server
commands configure include all tacacs-server
commands configure include all interface
commands configure include all zone-pair
commands configure include all zone
commands configure include all policy-map
commands configure include all class-map
commands configure include ip inspect
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands exec include configure terminal
commands exec include configure
commands exec include all show
!

 

Test from R1:

R1#telnet 192.168.4.11
Trying 192.168.4.11 ... Open

 

Username: netop
Password:

 

R2>conf t ------> (notice you are not in the # prompt but, still you are able to make changes to the configuration)
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)>int f0/1
R2(config-if)>shut
R2(config-if)>no shut
R2(config-if)>ip addre ?
  A.B.C.D  IP address
  dhcp     IP Address negotiated via DHCP
  pool     IP Address autoconfigured from a local DHCP pool

 

R2(config-if)>exit
R2(config)>polic-m
R2(config)>polic-m ? ---> (unable to configure policy-map when logged in an netop)
% Unrecognized command

 

R1#telnet 192.168.4.11
Trying 192.168.4.11 ... Open


User Access Verification

 

Username: secop
Password:

 

R2>conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)>class-map type inspect in-out-class  ---------> (notice you are able to create class-map when logged in as secop
R2(config-cmap)>

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Comments

Hi,

Very informative and useful...

Could you please upload the same for the ACS 5.X? It would be great...

BR,

Mubasher Sultan

JASON KENNEMER
Level 1
Level 1

+1.  Please add ACS 5.x.

Abaji Rawool
Level 3
Level 3

I created this doc, I hope it helps..

 

https://supportforums.cisco.com/document/12410416/create-role-based-cli-ios-router-and-link-it-users-configured-acs-5x

 

Regards,

Abaji.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: