I think and logically CLI view can be configured with login local without aaa new-model.
Can you please confirm, just want to see if my understanding is wrong. With regards Kings On Thu, Dec 3, 2009 at 7:22 PM, Badar Farooq <[email protected]> wrote: > Well... Without authorizing exec on VTY i wont be able to trigger the view > (configured in username command) unless I use enable view HTTP. And before > that OPERATOR will have full access that would defeat the purpose of config > altogether as the restrcited user will choose whether to have full access or > stay restricted :) > ANd you cannot disable AAA because Role Based CLI need AAA > > > On Thu, Dec 3, 2009 at 4:45 PM, Kingsley Charles < > [email protected]> wrote: > >> ok let's try this >> >> just remove the "aaa authorization exec VTY local" and then try. >> >> >> >> >> If you still face the issue, please try the following which I have been >> doing.... >> >> >> >> >> Remove aaa - no aaa new-model >> >> Under vty, add "login local" >> Now try... >> On Thu, Dec 3, 2009 at 7:12 PM, Badar Farooq <[email protected]>wrote: >> >>> Did that >>> the same result >>> >>> Rack1R5#telnet 150.1.4.4 >>> Trying 150.1.4.4 ... Open >>> >>> >>> User Access Verification >>> >>> Username: OPERATOR >>> Password: >>> >>> *Rack1R4>* >>> >>> The debug is stranger >>> >>> Mar 5 16:53:46.883: AAA/AUTHEN/LOGI >>> N (0000000F): Pick method list 'VTY' >>> Mar 5 16:53:53.498: AAA/AUTHOR (0xF): Pick method list 'VTY' >>> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV cmd= >>> *Mar 5 16:53:53.502: AAA/AUTHOR/EXEC**(0000000F): processing AV >>> priv-lvl=15* >>> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV >>> cli-view-name=HTTP >>> Mar 5 16:53:53.506: AAA/AUTHOR/EXEC(0000000F): Authorization successful >>> >>> clearly i am getting authorized at level 15. Still not getting the >>> prompt. >>> >>> >>> >>> >>> >>> >>> On Thu, Dec 3, 2009 at 4:37 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> >>>> Oops, sorry I overlooked that. >>>> >>>> I have been also configuring CLI view for sometime but have not come >>>> across this issue. Your configuration seems to be correct. >>>> >>>> can you try with telnet. just add transport ssh telnet and let's >>>> see what is happening >>>> >>>> ssh may be requires some crypto functionality but your's only permit >>>> conf ter and ip http >>>> >>>> commands configure include all ip http >>>> commands configure include ip >>>> commands exec include configure terminal >>>> commands exec include configure >>>> >>>> >>>> just a guess >>>> >>>> >>>> With regards >>>> Kings >>>> On Thu, Dec 3, 2009 at 6:53 PM, Badar Farooq >>>> <[email protected]>wrote: >>>> >>>>> Kingsley I am using username in the SSH command. >>>>> >>>>> >>>>> ssh -l OPERATOR 150.1.4.4 >>>>> >>>>> >>>>> On Thu, Dec 3, 2009 at 4:15 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> hey why are you just prompted for password. You should be prompted for >>>>>> both username and password. >>>>>> >>>>>> Try removing the password cmd under the line vty 0 4. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> On Thu, Dec 3, 2009 at 6:26 PM, Badar Farooq <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Well... I am using AAA for authorization of VTY so it shouldnt >>>>>>> matter. >>>>>>> but I tried this >>>>>>> >>>>>>> Rack1R4(config)#line vty 0 181 >>>>>>> Rack1R4(config-line)#privilege level 15 >>>>>>> Rack1R4(config-line)#end >>>>>>> >>>>>>> Rack1R4# >>>>>>> Mar 5 17:15:02.422: %SYS-5-CONFIG_I: Configured from console by >>>>>>> console >>>>>>> Rack1R4# >>>>>>> GV-Rack4>5 >>>>>>> [Resuming connection 5 to r5 ... ] >>>>>>> >>>>>>> [Connection to 150.1.4.4 closed by foreign host] >>>>>>> Rack1R5# >>>>>>> Rack1R5# >>>>>>> >>>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>>> >>>>>>> Password: >>>>>>> >>>>>>> Rack1R4> >>>>>>> >>>>>>> >>>>>>> Still the same prompt >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Dec 3, 2009 at 3:52 PM, Kingsley Charles < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> I think, you need to configure "privilege level 15" under the vty >>>>>>>> line. >>>>>>>> >>>>>>>> The privilege level that you associate with the username might be >>>>>>>> used for backup, if the parserv view is not configured for the user. >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> On Thu, Dec 3, 2009 at 4:39 PM, Badar Farooq < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Here is what I am trying to do >>>>>>>>> I am creating two users ADMIN and Operator. ADMIN has all the >>>>>>>>> rights and for OPERATOR i am restricting the access through role >>>>>>>>> based CLI >>>>>>>>> using a view HTTP. >>>>>>>>> I am using local authentication and authorization, placing both >>>>>>>>> users at privilege level 15 and placing OPERATOR in view HTTP. >>>>>>>>> When I login using the OPERATOR, instead of being placed at exec >>>>>>>>> (priv 15) I am placed at priv level 0. If i enable here, I am given >>>>>>>>> level 15 >>>>>>>>> un restricted access. >>>>>>>>> >>>>>>>>> What am i doing wrong. >>>>>>>>> Here is the config >>>>>>>>> >>>>>>>>> aaa authentication login default none >>>>>>>>> aaa authentication login VTY local >>>>>>>>> aaa authorization exec VTY local >>>>>>>>> ! >>>>>>>>> username ADMIN privilege 15 password 0 CISCO >>>>>>>>> username OPERATOR privilege 15 view HTTP password 0 CISCO >>>>>>>>> ! >>>>>>>>> line vty 0 4 >>>>>>>>> password cisco >>>>>>>>> authorization exec VTY >>>>>>>>> login authentication VTY >>>>>>>>> transport input ssh >>>>>>>>> ! >>>>>>>>> parser view HTTP >>>>>>>>> secret 5 $1$WpiY$Xj9az9zBmG5nWyN7sdUkK. >>>>>>>>> commands configure include all ip http >>>>>>>>> commands configure include ip >>>>>>>>> commands exec include configure terminal >>>>>>>>> commands exec include configure >>>>>>>>> ! >>>>>>>>> >>>>>>>>> >>>>>>>>> And here is my issue >>>>>>>>> >>>>>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>>>>> >>>>>>>>> Password: >>>>>>>>> >>>>>>>>> Rack1R4> >>>>>>>>> >>>>>>>>> (Note here.... i am not in priv lev 15) >>>>>>>>> >>>>>>>>> if I enable here I go out of the view and have all the access >>>>>>>>> >>>>>>>>> shouldn't I be placed in exec mode but in restricted view... >>>>>>>>> >>>>>>>>> With other user, i am directly placed in exec >>>>>>>>> Rack1R5#ssh -l ADMIN 150.1.4.4 >>>>>>>>> >>>>>>>>> Password: >>>>>>>>> >>>>>>>>> Rack1R4# >>>>>>>>> >>>>>>>>> Any help will be appreciated >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Badar Farooq >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>> please visit www.ipexpert.com >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
