AAA is not required...., this is working for me parser view mine secret 5 $1$1HKh$xlOQP75PX4sNAGv1b3i5u/ commands exec include all show commands exec include all clear commands exec include configure terminal
username cisco123 privilege 15 view mine secret 5 $1$.Mrx$QK.otN46wm.HmFK line vty 0 4 exec-timeout 0 0 login local On Thu, Dec 3, 2009 at 7:33 PM, Badar Farooq <[email protected]> wrote: > Well > aaa is essential.Without aaa new-model you cannot configure the parser > commands > > > > On Thu, Dec 3, 2009 at 5:02 PM, Kingsley Charles < > [email protected]> wrote: > >> I think and logically CLI view can be configured with login local without >> aaa new-model. >> >> Can you please confirm, just want to see if my understanding is wrong. >> >> >> >> With regards >> Kings >> >> On Thu, Dec 3, 2009 at 7:22 PM, Badar Farooq <[email protected]>wrote: >> >>> Well... Without authorizing exec on VTY i wont be able to trigger the >>> view (configured in username command) unless I use enable view HTTP. And >>> before that OPERATOR will have full access that would defeat the purpose of >>> config altogether as the restrcited user will choose whether to have full >>> access or stay restricted :) >>> ANd you cannot disable AAA because Role Based CLI need AAA >>> >>> >>> On Thu, Dec 3, 2009 at 4:45 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> ok let's try this >>>> >>>> just remove the "aaa authorization exec VTY local" and then try. >>>> >>>> >>>> >>>> >>>> If you still face the issue, please try the following which I have been >>>> doing.... >>>> >>>> >>>> >>>> >>>> Remove aaa - no aaa new-model >>>> >>>> Under vty, add "login local" >>>> Now try... >>>> On Thu, Dec 3, 2009 at 7:12 PM, Badar Farooq >>>> <[email protected]>wrote: >>>> >>>>> Did that >>>>> the same result >>>>> >>>>> Rack1R5#telnet 150.1.4.4 >>>>> Trying 150.1.4.4 ... Open >>>>> >>>>> >>>>> User Access Verification >>>>> >>>>> Username: OPERATOR >>>>> Password: >>>>> >>>>> *Rack1R4>* >>>>> >>>>> The debug is stranger >>>>> >>>>> Mar 5 16:53:46.883: AAA/AUTHEN/LOGI >>>>> N (0000000F): Pick method list 'VTY' >>>>> Mar 5 16:53:53.498: AAA/AUTHOR (0xF): Pick method list 'VTY' >>>>> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV cmd= >>>>> *Mar 5 16:53:53.502: AAA/AUTHOR/EXEC**(0000000F): processing AV >>>>> priv-lvl=15* >>>>> Mar 5 16:53:53.502: AAA/AUTHOR/EXEC(0000000F): processing AV >>>>> cli-view-name=HTTP >>>>> Mar 5 16:53:53.506: AAA/AUTHOR/EXEC(0000000F): Authorization >>>>> successful >>>>> >>>>> clearly i am getting authorized at level 15. Still not getting the >>>>> prompt. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Dec 3, 2009 at 4:37 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> Oops, sorry I overlooked that. >>>>>> >>>>>> I have been also configuring CLI view for sometime but have not come >>>>>> across this issue. Your configuration seems to be correct. >>>>>> >>>>>> can you try with telnet. just add transport ssh telnet and let's >>>>>> see what is happening >>>>>> >>>>>> ssh may be requires some crypto functionality but your's only permit >>>>>> conf ter and ip http >>>>>> >>>>>> commands configure include all ip http >>>>>> commands configure include ip >>>>>> commands exec include configure terminal >>>>>> commands exec include configure >>>>>> >>>>>> >>>>>> just a guess >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> On Thu, Dec 3, 2009 at 6:53 PM, Badar Farooq <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Kingsley I am using username in the SSH command. >>>>>>> >>>>>>> >>>>>>> ssh -l OPERATOR 150.1.4.4 >>>>>>> >>>>>>> >>>>>>> On Thu, Dec 3, 2009 at 4:15 PM, Kingsley Charles < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> hey why are you just prompted for password. You should be prompted >>>>>>>> for both username and password. >>>>>>>> >>>>>>>> Try removing the password cmd under the line vty 0 4. >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> On Thu, Dec 3, 2009 at 6:26 PM, Badar Farooq < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Well... I am using AAA for authorization of VTY so it shouldnt >>>>>>>>> matter. >>>>>>>>> but I tried this >>>>>>>>> >>>>>>>>> Rack1R4(config)#line vty 0 181 >>>>>>>>> Rack1R4(config-line)#privilege level 15 >>>>>>>>> Rack1R4(config-line)#end >>>>>>>>> >>>>>>>>> Rack1R4# >>>>>>>>> Mar 5 17:15:02.422: %SYS-5-CONFIG_I: Configured from console by >>>>>>>>> console >>>>>>>>> Rack1R4# >>>>>>>>> GV-Rack4>5 >>>>>>>>> [Resuming connection 5 to r5 ... ] >>>>>>>>> >>>>>>>>> [Connection to 150.1.4.4 closed by foreign host] >>>>>>>>> Rack1R5# >>>>>>>>> Rack1R5# >>>>>>>>> >>>>>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>>>>> >>>>>>>>> Password: >>>>>>>>> >>>>>>>>> Rack1R4> >>>>>>>>> >>>>>>>>> >>>>>>>>> Still the same prompt >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Dec 3, 2009 at 3:52 PM, Kingsley Charles < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> I think, you need to configure "privilege level 15" under the vty >>>>>>>>>> line. >>>>>>>>>> >>>>>>>>>> The privilege level that you associate with the username might be >>>>>>>>>> used for backup, if the parserv view is not configured for the user. >>>>>>>>>> >>>>>>>>>> With regards >>>>>>>>>> Kings >>>>>>>>>> >>>>>>>>>> On Thu, Dec 3, 2009 at 4:39 PM, Badar Farooq < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Here is what I am trying to do >>>>>>>>>>> I am creating two users ADMIN and Operator. ADMIN has all the >>>>>>>>>>> rights and for OPERATOR i am restricting the access through role >>>>>>>>>>> based CLI >>>>>>>>>>> using a view HTTP. >>>>>>>>>>> I am using local authentication and authorization, placing both >>>>>>>>>>> users at privilege level 15 and placing OPERATOR in view HTTP. >>>>>>>>>>> When I login using the OPERATOR, instead of being placed at exec >>>>>>>>>>> (priv 15) I am placed at priv level 0. If i enable here, I am given >>>>>>>>>>> level 15 >>>>>>>>>>> un restricted access. >>>>>>>>>>> >>>>>>>>>>> What am i doing wrong. >>>>>>>>>>> Here is the config >>>>>>>>>>> >>>>>>>>>>> aaa authentication login default none >>>>>>>>>>> aaa authentication login VTY local >>>>>>>>>>> aaa authorization exec VTY local >>>>>>>>>>> ! >>>>>>>>>>> username ADMIN privilege 15 password 0 CISCO >>>>>>>>>>> username OPERATOR privilege 15 view HTTP password 0 CISCO >>>>>>>>>>> ! >>>>>>>>>>> line vty 0 4 >>>>>>>>>>> password cisco >>>>>>>>>>> authorization exec VTY >>>>>>>>>>> login authentication VTY >>>>>>>>>>> transport input ssh >>>>>>>>>>> ! >>>>>>>>>>> parser view HTTP >>>>>>>>>>> secret 5 $1$WpiY$Xj9az9zBmG5nWyN7sdUkK. >>>>>>>>>>> commands configure include all ip http >>>>>>>>>>> commands configure include ip >>>>>>>>>>> commands exec include configure terminal >>>>>>>>>>> commands exec include configure >>>>>>>>>>> ! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> And here is my issue >>>>>>>>>>> >>>>>>>>>>> Rack1R5#ssh -l OPERATOR 150.1.4.4 >>>>>>>>>>> >>>>>>>>>>> Password: >>>>>>>>>>> >>>>>>>>>>> Rack1R4> >>>>>>>>>>> >>>>>>>>>>> (Note here.... i am not in priv lev 15) >>>>>>>>>>> >>>>>>>>>>> if I enable here I go out of the view and have all the access >>>>>>>>>>> >>>>>>>>>>> shouldn't I be placed in exec mode but in restricted view... >>>>>>>>>>> >>>>>>>>>>> With other user, i am directly placed in exec >>>>>>>>>>> Rack1R5#ssh -l ADMIN 150.1.4.4 >>>>>>>>>>> >>>>>>>>>>> Password: >>>>>>>>>>> >>>>>>>>>>> Rack1R4# >>>>>>>>>>> >>>>>>>>>>> Any help will be appreciated >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> Badar Farooq >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
