03-20-2011 10:54 AM - edited 02-21-2020 09:57 PM
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
Before you create a view, you must perform the following tasks:
•Enable AAA via the aaa new-model command.
•Ensure that your system is in root view—not privilege level 15. (command: "enable view" and use the enable password or enable secret)
The goad is to enable per-user-level access restriction based on each person’s role and function within the organization. This feature is very useful when you want to delegate varying responsibilities to different user groups within the organization.
We will create two roles:
a. network operator (netop)
b. security operator (secop)
For example, managing and configuring routing protocols and infrastructure configuration should be assigned to the network operations team. Managing the VPN, IOS firewall, and AAA functionality should be assigned to the security operations team. We will be configuring R2 and the ACS server in order to accomplish this.
This excercise will assume that all routing is in place and there is proper route from the 192.168.2.0/24 to the 192.168.4.0/24 network. Make sure you can ping end to end. We will also assume that the firewall has been properly configured with translation and permission to allow all the necessary traffic to and from the users, routers to the ACS server.
conf t
aaa new-model
aaa authentication login FREE none
aaa authentication login TACACS-GRP group tacacs+
aaa authorization exec TACACS-GRP group tacacs+
line vty 0 4
login authentication TACACS-GRP
authorization exec TACACS-GRP
enable password cisco
tacacs-server host 192.168.2.14
tacacs-server key cisco
Before enabling view if you are trying to configure this from console after configuring the enable password make sure to exit out and connect to
console again. If you do not have authentication configured for console, then you will see this below error message.
%AAA-6-USER_BLOCKED: Enable view requires to be authenticated by non-none methods,Please use the appropriate method with the login authentication.
R2>en
Password:
R2#
R2#enab view
Password:
After enabling view with a password then, we can protect the console.
R2(config)#line con 0
R2(config)#login authentication FREE
R2(config)# parser view netop
secret cisco
commands configure include all ip route
commands configure include all router
commands configure include all interface
commands configure include ip
commands exec include configure terminal
commands exec include configure
commands exec include all show
netop: will be able to configure the following:
1. dynamic routing protocol
2. static routes
3. apply interface specific commands
4. execute any show commands
parser view secop
secret 5 $1$BLsw$UjHivthLFLACo9ClKXi46/
commands configure include all radius-server
commands configure include all tacacs-server
commands configure include all interface
commands configure include all zone-pair
commands configure include all zone
commands configure include all policy-map
commands configure include all class-map
commands configure include ip inspect
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands exec include configure terminal
commands exec include configure
commands exec include all show
secop: will be able to configure the following:
1. all VPN related configuration (crypto)
2. all AAA, CBAC and ZBF configuration
3. all TACACS or RADIUS parameters configuration
4. apply interface specific commands
5. execute any show commands
Make sure to select "Display a window for each service selected.." or you will not see the "customer attribute" box in the 'user setup' screen shot.
We can add them to a separate group called Role-Based CLI group (this is optional)
line vty 0 4
authorization exec TACACS-GRP
login authentication TACACS-GRP
R2# test aaa group tacacs+ netop netop leg
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
R2# test aaa group tacacs+ secop secop leg
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.
enable password cisco
!
aaa new-model
!
!
aaa authentication login TACACS-GRP group tacacs+
aaa authentication login FREE none
aaa authorization exec TACACS-GRP group tacacs+
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login authentication FREE
!
line vty 0 3
exec-timeout 0 0
password cisco
authorization exec TACACS-GRP
logging synchronous
login authentication TACACS-GRP
transport input telnet
line vty 4
exec-timeout 0 0
password cisco
authorization exec TACACS-GRP
logging synchronous
login authentication TACACS-GRP
transport input telnet
!
parser view netop
secret 5 $1$VN8q$A4X5YI35YsGxdKOMihLBN/
commands configure include all ip route
commands configure include all router
commands configure include all interface
commands configure include ip
commands exec include configure terminal
commands exec include configure
commands exec include all show
!
parser view secop
secret 5 $1$BLsw$UjHivthLFLACo9ClKXi46/
commands configure include all radius-server
commands configure include all tacacs-server
commands configure include all interface
commands configure include all zone-pair
commands configure include all zone
commands configure include all policy-map
commands configure include all class-map
commands configure include ip inspect
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands exec include configure terminal
commands exec include configure
commands exec include all show
!
R1#telnet 192.168.4.11
Trying 192.168.4.11 ... Open
Username: netop
Password:
R2>conf t ------> (notice you are not in the # prompt but, still you are able to make changes to the configuration)
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)>int f0/1
R2(config-if)>shut
R2(config-if)>no shut
R2(config-if)>ip addre ?
A.B.C.D IP address
dhcp IP Address negotiated via DHCP
pool IP Address autoconfigured from a local DHCP pool
R2(config-if)>exit
R2(config)>polic-m
R2(config)>polic-m ? ---> (unable to configure policy-map when logged in an netop)
% Unrecognized command
R1#telnet 192.168.4.11
Trying 192.168.4.11 ... Open
User Access Verification
Username: secop
Password:
R2>conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)>class-map type inspect in-out-class ---------> (notice you are able to create class-map when logged in as secop
R2(config-cmap)>
Hi,
Very informative and useful...
Could you please upload the same for the ACS 5.X? It would be great...
BR,
Mubasher Sultan
+1. Please add ACS 5.x.
I created this doc, I hope it helps..
https://supportforums.cisco.com/document/12410416/create-role-based-cli-ios-router-and-link-it-users-configured-acs-5x
Regards,
Abaji.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: