Warning: Declaration of Suffusion_MM_Walker::start_el(&$output, $item, $depth, $args) should be compatible with Walker_Nav_Menu::start_el(&$output, $item, $depth = 0, $args = Array, $id = 0) in /homepages/5/d692508392/htdocs/clickandbuilds/l3switching/wp-content/themes/suffusion/library/suffusion-walkers.php on line 39
Apr 282012
 

With this feature, a user (view) could be assigned to execute certain command, to configure certain technologies. To configure role based access for users we must consider the following.

  • The aaa new model must be activated.
  • Only the root view can configure other views. The root view has all privileges like level 15 user.
  • The authentication method must not be none. This means enable pass must be configured.
  • Each view must have a password configured.

There are three kinds of views. The root view, normal view, super view.

root view: Only the root view can configure any other views.
normal view: The normal view is a user who has some commands assigned.
super view: A super view could have commands from many views.

Scenario: R1 has 3 users who are normal views. The user ‘ip’ will be able to assign interface ip address. The user ‘shut’ will be able to bring a link up or down. The user ‘show’ will be able to see configurations. Then the super view user ‘operator’ will be able to do all these.
We must enable aaa new model and there must be a privilege 15 password configured.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#aaa new-model
R1(config)#enable password cisco
R1(config)#end

Now we can create views which have appropriate commands. To create any views we must change to root view.
R1#enable view root
Password:
R1#
*Mar 1 01:48:10.427: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view show
R1(config-view)# secret cisco
R1(config-view)# commands exec include all show

Now we created a view called show, which could use all show commands.
R1(config-view)#parser view shut
R1(config-view)#secret cisco
R1(config-view)#commands exec include configure terminal
R1(config-view)#commands configure include interface FastEthernet0/0
R1(config-view)#commands interface include shutdown
R1(config-view)#commands interface include no

The user shut, can bring interface f0/0 up and down.
R1(config-view)#parser view ip
R1(config-view)#secret cisco
R1(config-view)#commands exec include configure terminal
R1(config-view)#commands configure include interface FastEthernet0/0
R1(config-view)#commands interface include ip address
R1(config-view)#commands interface include no

Then we can create the super user operator and assign him the rights from all three views.
R1(config-view)#parser view operator superview
R1(config-view)#secret cisco
R1(config-view)#view show
R1(config-view)#view ip
R1(config-view)#view shut

The super view user has all the commands from all views which it is a member of. :)

R1#enable view ip_shut
Password: 

R1#
*Mar  1 02:58:06.323: %PARSER-6-VIEW_SWITCH: successfully set to view 'operator'.
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#?
Interface configuration commands:
  channel-group      Add this interface to an Etherchannel group
  custom-queue-list  Assign a custom queue list to an interface
  delay              Specify interface throughput delay
  exit               Exit from interface configuration mode
  ip                 Interface Internet Protocol config commands
  load-interval      Specify interval for load calculation for an interface
  locaddr-priority   Assign a priority group
  no                 Negate a command or set its defaults
  priority-group     Assign a priority group to an interface
  sap-priority       Assign a priority group
  shutdown           Shutdown the selected interface

R1(config-if)#