AAA: Creating sub-views (customised privilege access)

by Cyrus Lok on Friday, December 18, 2009 at 4:50pm

This note discuss about method used by privilege 15 administrator to create multiple views based on the roles of certain administrators.

For example, I can create certain commands that are available only to helpdesk engineers, for helpdesk engineers they only need to know but not configure, hence a few troubleshooting commands should be included for helpdesk engineers to identify problems, one of the most useful command will be the Show command, I also would like the helpdesk engineers to be able to use the ping command hence ping command will be included into this view.

Being a privilege 15 user, I can do almost everything, however only in root view can I configure the views based on the roles of the users.

To escalate myself into a root view user, I need to create an enable password or secret in my global configuration mode. It is recommended to use secret instead of password. Password still exists because cisco wants to have backward compatibility with some routers that are running earlier version of IOS that do not support secret at all. By enabling secret, my clear text password will be hashed by MD5 algorithm. MD5 is not secure, and it has been proven to be able to hack, nowadays as far as security is concerned people will choose SHA version 2 over MD5. However for this scenario MD5 is sufficient, at least when I typed in :
show run | include enable

my enable password will be shown something like this

enable secret 5 $1$pBwK$vuiQeRAR9dR93oEjQ8knI0

instead of the clear text password test. Type in the command below to set your enable password, enable will bring you into EXEC mode where you can do all the Show commands from there.

cyrus(config)#enable secret test

I need to escalate myself from a privilege 15 user into the root view user.
I need to enable AAA new-model in global config mode.

cyrus(config)#aaa new-model

Exit from global configuration mode, and turn on my terminal monitor to show log messages (If you have a syslog server running concurrently, and you have configured your router to deliver all log messages to syslog server you will see those messages from the server)

Turn on my terminal monitor:
cyrus#terminal monitor <cr>

Escalate myself into root view user:
cyrus#enable view

type in your enable password which you have set.
Now I am in my root view, from here I got authority into configuring “authorization” for different users with various roles at work

From my root view EXEC mode, enter configuration terminal:
cyrus#conf t

From global configuration mode, type in “parser view <name_of_view> <cr>”
cyrus(config)#parser view SHOWMODE
*Mar 1 04:17:37.347: %PARSER-6-VIEW_CREATED: view ‘SHOWMODE’ successfully created.

Because I have turned on my terminal monitor, log message was created.
From my parser view configuration mode, there are several modes which I can set up to configure the type of access (things I want my user to be able to do aka authorization) I want my users to be able to do, here’s a partial example:

cyrus(config-view)#commands ?
RITE-profile Router IP traffic export profile command mode
RMI-Node-Config Resource Policy Node Config mode
RMI-Resource-Group Resource Group Config mode
RMI-Resource-Manager Resource Manager Config mode
RMI-Resource-Policy Resource Policy Config mode
SASL-profile SASL profile configuration mode
aaa-attr-list AAA attribute list config mode
aaa-user AAA user definition
accept-dialin VPDN group accept dialin configuration mode
accept-dialout VPDN group accept dialout configuration mode
address-family Address Family configuration mode
archive Archive the router configuration mode
bba-group BBA Group configuration mode
call-filter-matchlist Call Filter matchlist configuration mode
cm-ac AC-AC connect configuration mode
cns-connect-config CNS Connect Info Mode
cns-connect-intf-config CNS Connect Intf Info Mode
cns-tmpl-connect-config CNS Template Connect Info Mode
config-ip-sla-http-rr IP SLAs HTTP raw request Configuration
config-l2tp-class l2tp-class configuration mode
config-saa-http-rr SAA HTTP raw request Configuration
configure Global configuration mode

Surprised! So many modes! CCNA only covers a tip of an iceberg!

For this example, I am creating a helpdesk engineer authorization (i.e. what you can do). What does a helpdesk engineer needs to troubleshoot when a customer calls in and report a network issue?

1. Show commands? Yes
2. All show commands? Hmm.. well maybe show certain things… but not all….
3. Ping command? Yeah, this is the most basic way to know the connectivity of a network.

cyrus(config-view)#commands EXEC ?
exclude Exclude the command from the view
include Add command to the view
include-exclusive Include in this view but exclude from others

EXEC mode is the most basic mode that an user needs to access in order to issue show commands, and also from EXEC mode an user is able to go further into configure terminal mode (i.e. global configuration mode)

Exclude: Give access to users to all commands except for admin defined commands
Include: Explicitly include commands that an admin intends to give to user.
Include-exclusive: Include the commands intended for user only in this list, but not the other list that an admin will be creating/has been created.

Include option will create more work, however it let an admin to explicitly define the set of commands that an admin intends to give the user.

cyrus(config-view)#commands EXEC include ?
LINE Keywords of the command
all wild card support

LINE: I have to explicitly include the line of command that is allow in this view.
cyrus(config-view)#commands exec include ping
% Password not set for the view SHOWMODE

ALAS! I forgot t0 set a secret (aka MD5 hashing password) for this view! kns…-_-”

Ok, for simplicity I create the password to be the same as the user account, in real life no one does this way of authentication.

cyrus(config-view)#secret helpdesk

include a line that I want to the view explicitly:
cyrus(config-view)#commands exec include ping

To show you how the wild card keyword ALL works, here is it:
cyrus(config-view)#commands exec include all show

It means I allow user account which has access to this created view to be able to show EVERTHING!
ok, here is what I mean.

First I will apply the created view SHOWMODE into an user account:
cyrus(config)#username helpdesk view SHOWMODE secret helpdesk

<Got an answer from CCNA-Security study group, great!>

I need to enable aaa authorization, authorization means what a user can do and this is what I intend to configure:

cyrus(config)#aaa authorization exec default local

Now try login as username helpdesk:
Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information

Great ^_^


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s