Re: [OSL | CCIE_Security] Role Based CLI Issues

[Tyson Scott]

Badar,

 

Actually it is working perfectly.  I copied and pasted your configuration
onto a router.  The one thing that you should change is

"username ADMIN privilege 15 view root password CISCO"



 

R7#ssh -l OPERATOR 7.7.7.7

*Dec  3 14:49:56.579: %SYS-5-CONFIG_I: Configured from console by console

 

Password: 

 

R7>show privilege

Currently in View Context with view 'HTTP'

R7>conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R7(config)>?

Configure commands:

  do    To run exec commands in config mode

  exit  Exit from configure mode

  ip    Global IP configuration subcommands

 

R7(config)>ip ?

Global IP configuration subcommands:

  http  HTTP server configuration

 

R7(config)>ip http ?

  accounting                     Set http server accounting parameters

  active-session-modules         Set up active http server session modules

  authentication                 Set http server authentication method

  client                         Set http client parameters

  help-path                      HTML help root URL

  max-connections                Set maximum number of concurrent http
server

                                 connections

  path                           Set base path for HTML

  port                           Set http port

  secure-active-session-modules  Set up active http secure server session

                                 modules

  secure-ciphersuite             Set http secure server ciphersuite

  secure-client-auth             Set http secure server with client

                                 authentication

  secure-port                    Set http secure server port number for

                                 listening

  secure-server                  Enable HTTP secure server

  secure-trustpoint              Set http secure server certificate
trustpoint

  server                         Enable http server

  session-module-list            Set up a http(s) server session module list

  timeout-policy                 Set http server time-out policy parameters

 

R7(config)>ip http

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: Thursday, December 03, 2009 7:53 AM
To: Badar Farooq
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Role Based CLI Issues

 

I think, you need to configure "privilege level 15" under the vty line.

 

The privilege level that you associate with the username might be used for
backup, if the parserv view is not configured for the user.

 

With regards

Kings

On Thu, Dec 3, 2009 at 4:39 PM, Badar Farooq <badarfar...@gmail.com> wrote:

Here is what I am trying to do
I am creating two users ADMIN and Operator. ADMIN has all the rights and for
OPERATOR i am restricting the access through role based CLI using a view
HTTP.
I am using local authentication and authorization, placing both users at
privilege level 15 and placing OPERATOR in view HTTP.
When I login using the OPERATOR, instead of being placed at exec (priv 15) I
am placed at priv level 0. If i enable here, I am given level 15 un
restricted access.

What am i doing wrong. 
Here is the config 

aaa authentication login default none
aaa authentication login VTY local
aaa authorization exec VTY local 
!
username ADMIN privilege 15 password 0 CISCO
username OPERATOR privilege 15 view HTTP password 0 CISCO
!
line vty 0 4
 password cisco
 authorization exec VTY
 login authentication VTY
 transport input ssh
!
parser view HTTP
 secret 5 $1$WpiY$Xj9az9zBmG5nWyN7sdUkK.
 commands configure include all ip http
 commands configure include ip
 commands exec include configure terminal
 commands exec include configure
!


And here is my issue

Rack1R5#ssh -l OPERATOR 150.1.4.4

Password: 

Rack1R4>

(Note here.... i am not in priv lev 15)

if I enable here I go out of the view and have all the access

shouldn't I be placed in exec mode but in restricted view...

With other user, i am directly placed in exec 
Rack1R5#ssh -l ADMIN 150.1.4.4   

Password: 

Rack1R4#

Any help will be appreciated


Regards
Badar Farooq


_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com <http://www.ipexpert.com/> 

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com