14 Replies Latest reply: Aug 16, 2011 2:18 AM by cadetalain RSS

    Role-based CLI views

    Vaidas Vilemaitis


      Hi all,



      my goal is to have a view created and applied to specific user. The issue i'm facing is that i can't get to particular view unless i enable to it. Please find bellow configuration steps i've done already:



      1. enabled aaa



      Router(config)#aaa new-model



      2. Created an authentication list for vty lines



      Router(config)#aaa authentication login TELNET_LIMITED local



      3. applied authentication list to vty lines



      Router(config)#line vty 0 4

      Router(config-line)#login authentication TELNET_LIMITED



      4. Enable to root view



      Router#enable view


      *Mar 19 15:02:30.394: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'



      5. Created a view with only ping command allowed



      Router(config)#parser view PING_ONLY

      Router(config-view)#secret ping

      Router(config-view)#commands exec include ping



      6. Applied the view to newly created user 'helpdesk' with password 'agent'



      Router(config)#username helpdesk view PING_ONLY secret agent






      Now. Trying to access the router with new username:



      User Access Verification


      Username: helpdesk





      Why i'm not in privileged mode in the first place? The list of available commands is far to long for this user:




      Exec commands:

      access-enable Create a temporary Access-List entry

      access-profile Apply user-profile to interface

      clear Reset functions

      connect Open a terminal connection

      crypto Encryption related commands.

      disable Turn off privileged commands

      disconnect Disconnect an existing network connection




      If i manualy enable, i can then get to correct view:



      Router>enable view PING_ONLY




      *Mar 19 15:12:56.298: %PARSER-6-VIEW_SWITCH: successfully set to view 'PING_ONLY'.

      Exec commands:

      enable Turn on privileged commands

      exit Exit from the EXEC

      ping Send echo messages

      show Show running system information



      What i have missed in my configuration?Thanks a lot for your contribution!