With this feature, a user (view) could be assigned to execute certain command, to configure certain technologies. To configure role based access for users we must consider the following.
- The aaa new model must be activated.
- Only the root view can configure other views. The root view has all privileges like level 15 user.
- The authentication method must not be none. This means enable pass must be configured.
- Each view must have a password configured.
There are three kinds of views. The root view, normal view, super view.
root view: Only the root view can configure any other views.
normal view: The normal view is a user who has some commands assigned.
super view: A super view could have commands from many views.
Scenario: R1 has 3 users who are normal views. The user ‘ip’ will be able to assign interface ip address. The user ‘shut’ will be able to bring a link up or down. The user ‘show’ will be able to see configurations. Then the super view user ‘operator’ will be able to do all these.
We must enable aaa new model and there must be a privilege 15 password configured.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#aaa new-model
R1(config)#enable password cisco
R1(config)#end
Now we can create views which have appropriate commands. To create any views we must change to root view.
R1#enable view root
Password:
R1#
*Mar 1 01:48:10.427: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view show
R1(config-view)# secret cisco
R1(config-view)# commands exec include all show
Now we created a view called show, which could use all show commands.
R1(config-view)#parser view shut
R1(config-view)#secret cisco
R1(config-view)#commands exec include configure terminal
R1(config-view)#commands configure include interface FastEthernet0/0
R1(config-view)#commands interface include shutdown
R1(config-view)#commands interface include no
The user shut, can bring interface f0/0 up and down.
R1(config-view)#parser view ip
R1(config-view)#secret cisco
R1(config-view)#commands exec include configure terminal
R1(config-view)#commands configure include interface FastEthernet0/0
R1(config-view)#commands interface include ip address
R1(config-view)#commands interface include no
Then we can create the super user operator and assign him the rights from all three views.
R1(config-view)#parser view operator superview
R1(config-view)#secret cisco
R1(config-view)#view show
R1(config-view)#view ip
R1(config-view)#view shut
The super view user has all the commands from all views which it is a member of.
R1#enable view ip_shut Password: R1# *Mar 1 02:58:06.323: %PARSER-6-VIEW_SWITCH: successfully set to view 'operator'. R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int f0/0 R1(config-if)#? Interface configuration commands: channel-group Add this interface to an Etherchannel group custom-queue-list Assign a custom queue list to an interface delay Specify interface throughput delay exit Exit from interface configuration mode ip Interface Internet Protocol config commands load-interval Specify interval for load calculation for an interface locaddr-priority Assign a priority group no Negate a command or set its defaults priority-group Assign a priority group to an interface sap-priority Assign a priority group shutdown Shutdown the selected interface R1(config-if)#