Role Based CLI

I am trying to associate a user with a view but it doesnt work when the user logon to the router. The user have full privilage to other commands!!

I only want the user to run debugs and undebug... Any ideas?

aaa new-model

username temp password cisco
username temp  view TEMPUSER

parser TEMPUSER
secret CISCO
commands exec include show running-config
commands exec include all debug
commands exec include all undebug

line vty 0 4

login local

Francisco

Comments

  • I implemented this in production actually for a small business client couple of months back and worked perfectly fine for me. Though I didn't integrated it with a AAA server as they didn't have money to spend on that. [;)]

    Take a look at my config and step by step instruction and see if things work for you.

    http://deepakarora1984.blogspot.com/2010/05/limited-cli-access-role-based-cli.html

    HTH...

    Deepak Arora

    http://www.deepakarora1984.blogspot.com

  • Hi Francisco,

    I did a short test and I think your configuration is only missing the AAA authorization configuration (aaa authorization exec default local). I would also suggest to enable AAA authorization debugging to see if the role was assigned correctly.

    # debug aaa authorization
    *Mar 1 00:20:40.779: AAA/BIND(0000000A): Bind i/f
    *Mar 1 00:20:44.631: AAA/AUTHOR (0xA): Pick method list 'default'
    *Mar 1 00:20:44.631: AAA/AUTHOR/EXEC(0000000A): processing AV cmd=
    *Mar 1 00:20:44.631: AAA/AUTHOR/EXEC(0000000A): processing AV priv-lvl=1
    *Mar 1 00:20:44.631: AAA/AUTHOR/EXEC(0000000A): processing AV cli-view-name=TEMPUSER
    *Mar 1 00:20:44.631: AAA/AUTHOR/EXEC(0000000A): Authorization successful

    My test configuration:

    enable secret cisco123
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    !
    username admin privilege 15 secret cisco123
    username temp view TEMPUSER secret cisco123
    !
    parser view TEMPUSER
    secret CISCO
    commands exec include all undebug
    commands exec include show running-config
    commands exec include show
    commands exec include all debug
    !

     

    Best regards,

    Jochen

Sign In or Register to comment.