it was just that the pg showed the user being authorised and put into exec mode directly r4:#, whereas mine you go into user exec r4:/
also, if you know the enable password you can just enable up to priv15, i just thought the idea was that the user was restricted to the commands you make available in the view? thanks LR ________________________________ From: Jerome Dolphin <[email protected]> To: LEE READE <[email protected]> Cc: [email protected] Sent: Saturday, 26 February, 2011 22:52:57 Subject: Re: [OSL | CCIE_Security] Security VOL1 5.7 Role Based CLI Hi Lee, what sort of comments are you looking for? Is there a specific problem or everything is working as expected? Cheers, Jerome On Sun, Feb 27, 2011 at 4:39 AM, LEE READE <[email protected]> wrote: >aaa new-model >aaa authentication login default none >aaa authentication login con none >aaa authentication login vty group radius >aaa authentication enable default enable >aaa authorization exec default group radius > >ip radius source-interface Loopback0 >radius-server attribute 6 mandatory >radius-server host 10.1.1.100 auth-port 1812 acct-port 1813 key ipexpert >radius-server vsa send accounting >radius-server vsa send authentication > >parser view limited > secret 5 $1$mCJ5$Eoq3E30WEqDiBqGBpn9V.1 > commands exec include show ip interface brief > commands exec include show ip interface > commands exec include show ip > commands exec include show clock > commands exec include show version > commands exec include show logging > commands exec include show >! >parser view limited2 > secret 5 $1$N.IR$Fv0Jk7IkFpdCuCpCDXsb.. > commands exec include ping > commands exec include all show interfaces > commands exec include show >! >parser view super > secret 5 $1$WWuS$oOrY4mkKRrCFkwpA7NHdn0 > commands interface include shutdown > commands interface include no shutdown > commands interface include no > commands configure include interface > commands exec include configure terminal > commands exec include configure > commands exec include all show > commands configure include interface FastEthernet0/1.49 >! >parser view super-user superview > secret 5 $1$mP4v$Hn1PdYa2Dt7c66/flrGDU1 > view limited > view limited2 > view super > >debug radius and author- > >R4# >Feb 26 17:37:42.773: AAA/BIND(00000013): Bind i/f >Feb 26 17:37:42.773: RADIUS/ENCODE(00000013): ask "Username: " >Feb 26 17:37:42.773: RADIUS/ENCODE(00000013): send packet; GET_USER >R4# >Feb 26 17:37:45.789: RADIUS/ENCODE(00000013): ask "Password: " >Feb 26 17:37:45.789: RADIUS/ENCODE(00000013): send packet; GET_PASSWORD >Feb 26 17:37:47.541: RADIUS/ENCODE(00000013):Orig. component type = EXEC >Feb 26 17:37:47.541: RADIUS/ENCODE(00000013): dropping service type, >"radius-server attribute 6 on-for-login-auth" is off >Feb 26 17:37:47.541: RADIUS(00000013): Config NAS IP: 4.4.4.4 >Feb 26 17:37:47.541: RADIUS/ENCODE(00000013): acct_session_id: 17 >Feb 26 17:37:47.541: RADIUS(00000013): sending >Feb 26 17:37:47.545: RADIUS(00000013): Send Access-Request to 10.1.1.100:1812 id >1645/17, len 85 >Feb 26 17:37:47.545: RADIUS: authenticator A4 BD 3C 00 D9 59 48 20 - 41 16 AA >18 6F 13 B0 D4 >Feb 26 17:37:47.545: RADIUS: User-Name [1] 9 "limited" >Feb 26 17:37:47.545: RADIUS: User-Password [2] 18 * >Feb 26 17:37:47.545: RADIUS: NAS-Port [5] 6 >514 > >Feb 26 17:37:47.545: RADIUS: NAS-Port-Id [87] 8 "tty514" > >R4#Feb 26 17:37:47.545: RADIUS: NAS-Port-Type [61] 6 >Virtual [5] >Feb 26 17:37:47.545: RADIUS: Calling-Station-Id [31] 12 "10.1.1.100" >Feb 26 17:37:47.545: RADIUS: NAS-IP-Address [4] 6 >4.4.4.4 > >Feb 26 17:37:47.553: RADIUS: Received from id 1645/17 10.1.1.100:1812, >Access-Accept, len 91 >Feb 26 17:37:47.553: RADIUS: authenticator AC DF 7E 66 06 DD 8B B6 - 92 60 AF >36 7B FC 2A 69 >Feb 26 17:37:47.553: RADIUS: Framed-IP-Address [8] 6 >255.255.255.255 > >Feb 26 17:37:47.553: RADIUS: Vendor, Cisco [26] 35 >Feb 26 17:37:47.553: RADIUS: Cisco AVpair [1] 29 >"shell:cli-view-name=limited" >Feb 26 17:37:47.557: RADIUS: Service-Type [6] 6 NAS >Prompt [7] >Feb 26 17:37:47.557: RADIUS: Class [25] 24 >Feb 26 17:37:47.557: RADIUS: 43 41 43 53 3A 30 2F 39 34 65 2F 34 30 34 30 34 >[CACS:0/94e/40404] >Feb 26 17:37:47.557: RADIUS: 30 34 2F 35 31 34 >[04/514] >Feb 26 17:37:47.557: RADIUS(00000013): Received from id 1645/17 >Feb 26 17:37:47.557: AAA/AUTHOR/EXEC(00000013): processing AV >cli-view-name=limited >Feb 26 17:37:47.557: AAA/AUTHOR/EXEC(00000013): processing AV service-type=7 >Feb 26 17:37:47.561: AAA/AUTHOR/EXEC(00000013): Authorization successf > >as you can see it is being placed into the correct view, and show parser view on >telnet client confirms this. > >apreciate any comments.. > >thanks > >LR > >_______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit >www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
