Well... Without authorizing exec on VTY i wont be able to trigger the view (configured in username command) unless I use enable view HTTP. And before that OPERATOR will have full access that would defeat the purpose of config altogether as the restrcited user will choose whether to have full access or stay restricted :) ANd you cannot disable AAA because Role Based CLI need AAA
On Thu, Dec 3, 2009 at 4:45 PM, Kingsley Charles <[email protected] > wrote: > ok let's try this > > just remove the "aaa authorization exec VTY local" and then try. > > > > > If you still face the issue, please try the following which I have been > doing.... > > > > > Remove aaa - no aaa new-model > > Under vty, add "login local" > Now try... > On Thu, Dec 3, 2009 at 7:12 PM, Badar Farooq <[email protected]>wrote: > >> Did that >> the same result >> >> Rack1R5#telnet 150.1.4.4 >> Trying 150.1.4.4 ... Open >> >> >> User Access Verification >> >> Username: OPERATOR >> Password: >> >> *Rack1R4>* >> >> The debug is stranger >> >> Mar 5 16:53:46.883: AAA/AUTHEN/LOGI >> N (0000000F): Pick method list 'VTY' >> Mar 5 16:53:53.498: AAA/AUTHOR (0xF): Pick method list 'VTY' >> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV cmd= >> *Mar 5 16:53:53.502: AAA/AUTHOR/EXEC**(0000000F): processing AV >> priv-lvl=15* >> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV >> cli-view-name=HTTP >> Mar 5 16:53:53.506: AAA/AUTHOR/EXEC(0000000F): Authorization successful >> >> clearly i am getting authorized at level 15. Still not getting the prompt. >> >> >> >> >> >> >> On Thu, Dec 3, 2009 at 4:37 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> >>> Oops, sorry I overlooked that. >>> >>> I have been also configuring CLI view for sometime but have not come >>> across this issue. Your configuration seems to be correct. >>> >>> can you try with telnet. just add transport ssh telnet and let's see what >>> is happening >>> >>> ssh may be requires some crypto functionality but your's only permit conf >>> ter and ip http >>> >>> commands configure include all ip http >>> commands configure include ip >>> commands exec include configure terminal >>> commands exec include configure >>> >>> >>> just a guess >>> >>> >>> With regards >>> Kings >>> On Thu, Dec 3, 2009 at 6:53 PM, Badar Farooq <[email protected]>wrote: >>> >>>> Kingsley I am using username in the SSH command. >>>> >>>> >>>> ssh -l OPERATOR 150.1.4.4 >>>> >>>> >>>> On Thu, Dec 3, 2009 at 4:15 PM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> hey why are you just prompted for password. You should be prompted for >>>>> both username and password. >>>>> >>>>> Try removing the password cmd under the line vty 0 4. >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> On Thu, Dec 3, 2009 at 6:26 PM, Badar Farooq >>>>> <[email protected]>wrote: >>>>> >>>>>> Well... I am using AAA for authorization of VTY so it shouldnt matter. >>>>>> but I tried this >>>>>> >>>>>> Rack1R4(config)#line vty 0 181 >>>>>> Rack1R4(config-line)#privilege level 15 >>>>>> Rack1R4(config-line)#end >>>>>> >>>>>> Rack1R4# >>>>>> Mar 5 17:15:02.422: %SYS-5-CONFIG_I: Configured from console by >>>>>> console >>>>>> Rack1R4# >>>>>> GV-Rack4>5 >>>>>> [Resuming connection 5 to r5 ... ] >>>>>> >>>>>> [Connection to 150.1.4.4 closed by foreign host] >>>>>> Rack1R5# >>>>>> Rack1R5# >>>>>> >>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>> >>>>>> Password: >>>>>> >>>>>> Rack1R4> >>>>>> >>>>>> >>>>>> Still the same prompt >>>>>> >>>>>> >>>>>> Regards >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Dec 3, 2009 at 3:52 PM, Kingsley Charles < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I think, you need to configure "privilege level 15" under the vty >>>>>>> line. >>>>>>> >>>>>>> The privilege level that you associate with the username might be >>>>>>> used for backup, if the parserv view is not configured for the user. >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> On Thu, Dec 3, 2009 at 4:39 PM, Badar Farooq < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Here is what I am trying to do >>>>>>>> I am creating two users ADMIN and Operator. ADMIN has all the rights >>>>>>>> and for OPERATOR i am restricting the access through role based CLI >>>>>>>> using a >>>>>>>> view HTTP. >>>>>>>> I am using local authentication and authorization, placing both >>>>>>>> users at privilege level 15 and placing OPERATOR in view HTTP. >>>>>>>> When I login using the OPERATOR, instead of being placed at exec >>>>>>>> (priv 15) I am placed at priv level 0. If i enable here, I am given >>>>>>>> level 15 >>>>>>>> un restricted access. >>>>>>>> >>>>>>>> What am i doing wrong. >>>>>>>> Here is the config >>>>>>>> >>>>>>>> aaa authentication login default none >>>>>>>> aaa authentication login VTY local >>>>>>>> aaa authorization exec VTY local >>>>>>>> ! >>>>>>>> username ADMIN privilege 15 password 0 CISCO >>>>>>>> username OPERATOR privilege 15 view HTTP password 0 CISCO >>>>>>>> ! >>>>>>>> line vty 0 4 >>>>>>>> password cisco >>>>>>>> authorization exec VTY >>>>>>>> login authentication VTY >>>>>>>> transport input ssh >>>>>>>> ! >>>>>>>> parser view HTTP >>>>>>>> secret 5 $1$WpiY$Xj9az9zBmG5nWyN7sdUkK. >>>>>>>> commands configure include all ip http >>>>>>>> commands configure include ip >>>>>>>> commands exec include configure terminal >>>>>>>> commands exec include configure >>>>>>>> ! >>>>>>>> >>>>>>>> >>>>>>>> And here is my issue >>>>>>>> >>>>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>>>> >>>>>>>> Password: >>>>>>>> >>>>>>>> Rack1R4> >>>>>>>> >>>>>>>> (Note here.... i am not in priv lev 15) >>>>>>>> >>>>>>>> if I enable here I go out of the view and have all the access >>>>>>>> >>>>>>>> shouldn't I be placed in exec mode but in restricted view... >>>>>>>> >>>>>>>> With other user, i am directly placed in exec >>>>>>>> Rack1R5#ssh -l ADMIN 150.1.4.4 >>>>>>>> >>>>>>>> Password: >>>>>>>> >>>>>>>> Rack1R4# >>>>>>>> >>>>>>>> Any help will be appreciated >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> Badar Farooq >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
