cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
5
Helpful
6
Replies

Role based CLI

mohammad-yousef
Level 1
Level 1

Dear All,

I have configured a view named monitor, in order to be able to issue show commands only.

I logged to the root view, then put the follwing conf.:

Router(config)# parser view monitor

Router(config-view)# secret cisco

Router(config-view)# command exec include all show

but I want to assign this view to a certain user, I tried to do this by this command:

username test view monitor password test

But when I login using this account (test) I be able to view everything and configure everything.

Please help me to do this job (creating a user that be able to issue certain commands and not all).

Thanks..

6 Replies 6

pjhenriqs
Level 1
Level 1

Hi Mohammad,

Can you not use privilege exec level to achieve this?

Here is an example:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Hope it helps,

Paulo

Thanks Paulo,

I tried but no effect, all privileges can do everything.

Hi Mohammad,

Can you tell me which commands you have inserted on the router?

Here is an example for allowing ping:

aaa authorization exec AAA group RADIUSSERVERS local none

...

privilege exec all level 7 ping

...

line vty 0 4

authorization exec AAA

login authentication AAA

Hope it helps,

Paulo

I have a similar issue:

I have created a view X with only a particular 'show' command.

I have also created a user Y view X in the local user database.

I can log in with user Y and am taken directly to view X.

The issue is that there are still other commands available like 'enable'.

I tried to remove using the command exec exclude enable and no command exec include to enable no avail.

Can anybody help?

Hello Mohammad and Antony,

Creating views and restricting users to be bound to that specific view only is "Authorization". You should have "authorization exec local" command issued in desired lines (vty or con lines)

Regards

Thanks for response....

Can you explain a bit more in detail how what you suggest is done and what it will accomplish?

Why can't I just remove the 'enable' command from the view?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: