Well aaa is essential.Without aaa new-model you cannot configure the parser commands
On Thu, Dec 3, 2009 at 5:02 PM, Kingsley Charles <[email protected] > wrote: > I think and logically CLI view can be configured with login local without > aaa new-model. > > Can you please confirm, just want to see if my understanding is wrong. > > > > With regards > Kings > > On Thu, Dec 3, 2009 at 7:22 PM, Badar Farooq <[email protected]>wrote: > >> Well... Without authorizing exec on VTY i wont be able to trigger the view >> (configured in username command) unless I use enable view HTTP. And before >> that OPERATOR will have full access that would defeat the purpose of config >> altogether as the restrcited user will choose whether to have full access or >> stay restricted :) >> ANd you cannot disable AAA because Role Based CLI need AAA >> >> >> On Thu, Dec 3, 2009 at 4:45 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> ok let's try this >>> >>> just remove the "aaa authorization exec VTY local" and then try. >>> >>> >>> >>> >>> If you still face the issue, please try the following which I have been >>> doing.... >>> >>> >>> >>> >>> Remove aaa - no aaa new-model >>> >>> Under vty, add "login local" >>> Now try... >>> On Thu, Dec 3, 2009 at 7:12 PM, Badar Farooq <[email protected]>wrote: >>> >>>> Did that >>>> the same result >>>> >>>> Rack1R5#telnet 150.1.4.4 >>>> Trying 150.1.4.4 ... Open >>>> >>>> >>>> User Access Verification >>>> >>>> Username: OPERATOR >>>> Password: >>>> >>>> *Rack1R4>* >>>> >>>> The debug is stranger >>>> >>>> Mar 5 16:53:46.883: AAA/AUTHEN/LOGI >>>> N (0000000F): Pick method list 'VTY' >>>> Mar 5 16:53:53.498: AAA/AUTHOR (0xF): Pick method list 'VTY' >>>> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV cmd= >>>> *Mar 5 16:53:53.502: AAA/AUTHOR/EXEC**(0000000F): processing AV >>>> priv-lvl=15* >>>> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV >>>> cli-view-name=HTTP >>>> Mar 5 16:53:53.506: AAA/AUTHOR/EXEC(0000000F): Authorization successful >>>> >>>> clearly i am getting authorized at level 15. Still not getting the >>>> prompt. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Dec 3, 2009 at 4:37 PM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> >>>>> Oops, sorry I overlooked that. >>>>> >>>>> I have been also configuring CLI view for sometime but have not come >>>>> across this issue. Your configuration seems to be correct. >>>>> >>>>> can you try with telnet. just add transport ssh telnet and let's >>>>> see what is happening >>>>> >>>>> ssh may be requires some crypto functionality but your's only permit >>>>> conf ter and ip http >>>>> >>>>> commands configure include all ip http >>>>> commands configure include ip >>>>> commands exec include configure terminal >>>>> commands exec include configure >>>>> >>>>> >>>>> just a guess >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> On Thu, Dec 3, 2009 at 6:53 PM, Badar Farooq >>>>> <[email protected]>wrote: >>>>> >>>>>> Kingsley I am using username in the SSH command. >>>>>> >>>>>> >>>>>> ssh -l OPERATOR 150.1.4.4 >>>>>> >>>>>> >>>>>> On Thu, Dec 3, 2009 at 4:15 PM, Kingsley Charles < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> hey why are you just prompted for password. You should be prompted >>>>>>> for both username and password. >>>>>>> >>>>>>> Try removing the password cmd under the line vty 0 4. >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> On Thu, Dec 3, 2009 at 6:26 PM, Badar Farooq < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Well... I am using AAA for authorization of VTY so it shouldnt >>>>>>>> matter. >>>>>>>> but I tried this >>>>>>>> >>>>>>>> Rack1R4(config)#line vty 0 181 >>>>>>>> Rack1R4(config-line)#privilege level 15 >>>>>>>> Rack1R4(config-line)#end >>>>>>>> >>>>>>>> Rack1R4# >>>>>>>> Mar 5 17:15:02.422: %SYS-5-CONFIG_I: Configured from console by >>>>>>>> console >>>>>>>> Rack1R4# >>>>>>>> GV-Rack4>5 >>>>>>>> [Resuming connection 5 to r5 ... ] >>>>>>>> >>>>>>>> [Connection to 150.1.4.4 closed by foreign host] >>>>>>>> Rack1R5# >>>>>>>> Rack1R5# >>>>>>>> >>>>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>>>> >>>>>>>> Password: >>>>>>>> >>>>>>>> Rack1R4> >>>>>>>> >>>>>>>> >>>>>>>> Still the same prompt >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Dec 3, 2009 at 3:52 PM, Kingsley Charles < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> I think, you need to configure "privilege level 15" under the vty >>>>>>>>> line. >>>>>>>>> >>>>>>>>> The privilege level that you associate with the username might be >>>>>>>>> used for backup, if the parserv view is not configured for the user. >>>>>>>>> >>>>>>>>> With regards >>>>>>>>> Kings >>>>>>>>> >>>>>>>>> On Thu, Dec 3, 2009 at 4:39 PM, Badar Farooq < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Here is what I am trying to do >>>>>>>>>> I am creating two users ADMIN and Operator. ADMIN has all the >>>>>>>>>> rights and for OPERATOR i am restricting the access through role >>>>>>>>>> based CLI >>>>>>>>>> using a view HTTP. >>>>>>>>>> I am using local authentication and authorization, placing both >>>>>>>>>> users at privilege level 15 and placing OPERATOR in view HTTP. >>>>>>>>>> When I login using the OPERATOR, instead of being placed at exec >>>>>>>>>> (priv 15) I am placed at priv level 0. If i enable here, I am given >>>>>>>>>> level 15 >>>>>>>>>> un restricted access. >>>>>>>>>> >>>>>>>>>> What am i doing wrong. >>>>>>>>>> Here is the config >>>>>>>>>> >>>>>>>>>> aaa authentication login default none >>>>>>>>>> aaa authentication login VTY local >>>>>>>>>> aaa authorization exec VTY local >>>>>>>>>> ! >>>>>>>>>> username ADMIN privilege 15 password 0 CISCO >>>>>>>>>> username OPERATOR privilege 15 view HTTP password 0 CISCO >>>>>>>>>> ! >>>>>>>>>> line vty 0 4 >>>>>>>>>> password cisco >>>>>>>>>> authorization exec VTY >>>>>>>>>> login authentication VTY >>>>>>>>>> transport input ssh >>>>>>>>>> ! >>>>>>>>>> parser view HTTP >>>>>>>>>> secret 5 $1$WpiY$Xj9az9zBmG5nWyN7sdUkK. >>>>>>>>>> commands configure include all ip http >>>>>>>>>> commands configure include ip >>>>>>>>>> commands exec include configure terminal >>>>>>>>>> commands exec include configure >>>>>>>>>> ! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> And here is my issue >>>>>>>>>> >>>>>>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>>>>>> >>>>>>>>>> Password: >>>>>>>>>> >>>>>>>>>> Rack1R4> >>>>>>>>>> >>>>>>>>>> (Note here.... i am not in priv lev 15) >>>>>>>>>> >>>>>>>>>> if I enable here I go out of the view and have all the access >>>>>>>>>> >>>>>>>>>> shouldn't I be placed in exec mode but in restricted view... >>>>>>>>>> >>>>>>>>>> With other user, i am directly placed in exec >>>>>>>>>> Rack1R5#ssh -l ADMIN 150.1.4.4 >>>>>>>>>> >>>>>>>>>> Password: >>>>>>>>>> >>>>>>>>>> Rack1R4# >>>>>>>>>> >>>>>>>>>> Any help will be appreciated >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Badar Farooq >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>>> please visit www.ipexpert.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
