Benefits of Using CLI Views
Views: Detailed Access Control
Although users can control CLI access via both privilege levels and enable mode passwords, these functions do not provide network administrators with the necessary level of detail needed when working with Cisco IOS routers and switches. CLI views provide a more detailed access control capability for network administrators, thereby, improving the overall security and accountability of Cisco IOS software.
As of Cisco IOS Release 12.3(11)T, network administrators can also specify an interface or a group of interfaces to a view; thereby, allowing access on the basis of specified interfaces.
Root View
When a system is in "root view," it has all of the access privileges as a user who has level 15 privileges. If the administrator wishes to configure any view to the system (such as a CLI view, a superview, or a lawful intercept view), the system must be in root view.
The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. Also, when you are in a CLI view, you have access only to the commands that have been added to that view by the root view user.
View Authentication via a New AAA Attribute
View authentication is performed by an external authentication, authorization, and accounting (AAA) server via the new attribute "cli-view-name."
AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
How to Use Role-Based CLI Access
Configuring a CLI View
Use this task to create a CLI view and add commands or interfaces to the view, as appropriate.
Prerequisites
Before you create a view, you must perform the following tasks:
•
Enable AAA via the aaa new-model command.
•Ensure that your system is in root view—not privilege level 15.
SUMMARY STEPS
1. enable view
2. configure terminal
3. parser view view-name
4. secret 5 encrypted-password
5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
6. exit
7. exit
8. enable [privilege-level] [view view-name]
9. show parser view [all]
Reference:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli.html
發表文章
沒有留言:
張貼留言