Parser Views - Roles Based Access Control (RBAC)

Cisco IOS CLI Parser Views provide much more granular Access Control features than Privilege Levels. Network administrators can now implement Role-Based CLI Access (simply called as RBAC, Role-Based Access Control). By Implementing RBAC, using Parser Views, administrators can limit what commands a user can see or run on the Cisco Routers and Switches.

Network Administrators can create CLI Parser Views add the Role Based commands to the CLI Parser View. A CLI Parser View can be tied to a user and when the user logs in using this view, he will get only the commands which are configured for his view.

Following are the pre-requisites for creating Parser Views

• Device IOS must support Parser views.

• Enable secret password must be configured on the device.

• AAA must be enabled on the router using Cisco IOS "aaa new-model" command

Step 01 - Enable AAA globally on Cisco Router/Switch using "aaa new-model" and configure password for privilege EXEC mode from the Global Configuration Mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa new-model
OmniSecuR1(config)#enable secret OmniSecu123
OmniSecuR1(config)#aaa authentication  login default local
OmniSecuR1(config)#aaa authorization exec default local
OmniSecuR1(config)#exit OmniSecuR1#

Step 02 - After enabling AAA and configuring the Privilege Level 15 password, you must move to Root View by using the IOS CLI command "enable view", to configure other Parser Views. Root View is a CLI Parser View which has all access privileges similar to Privilege Level 15. Root View is used to create or modify other views. You have to provide the enable secret password (which we configured in above step) to move to Root View.

User Access Verification

Username: admin

OmniSecuR1>enable view

OmniSecuR1#configure terminal
OmniSecuR1(config)#parser view OmniSecuPV
OmniSecuR1(config-view)#secret PassOmniSecuPV
OmniSecuR1(config-view)#commands exec include configure terminal
OmniSecuR1(config-view)#commands exec include ping
OmniSecuR1(config-view)#commands exec include traceroute
OmniSecuR1(config-view)#commands exec include exit
OmniSecuR1(config-view)#commands configure include interface gigabitethernet 0/0
OmniSecuR1(config-view)#commands configure include exit
OmniSecuR1(config-view)#commands interface include ip address
OmniSecuR1(config-view)#commands interface include ipv6 address
OmniSecuR1(config-view)#commands interface include no ip address
OmniSecuR1(config-view)#commands interface include no ipv6 address
OmniSecuR1(config-view)#commands interface include shutdown
OmniSecuR1(config-view)#commands interface include no shutdown
OmniSecuR1(config-view)#commands interface include exit

Step 03 - After Creating the Parser View, we can attach the Parser View to a user, so that when the user logs in, he can see only the configured Cisco IOS CLI Commands.

OmniSecuR1(config)#username jajish privilege 15 view OmniSecuPV secret OmniSecuPass

Step 04: Telnet to the router "OmniSecuR1" and login as user "jajish". Run "show parser view" to what is the current Parser View. You can see that, by default, the Parser View which we created is in effect.

Show Parser View



Related Tutorials