i could do anything i wanted, ie priv 15. hence why i didnt think it was correct..
thanks LR ________________________________ From: Kingsley Charles <[email protected]> To: LEE READE <[email protected]> Cc: Jerome Dolphin <[email protected]>; [email protected] Sent: Sunday, 27 February, 2011 15:37:05 Subject: Re: [OSL | CCIE_Security] Security VOL1 5.7 Role Based CLI Just type "configure ter" and hit enter in the user mode, what do you see? With regards Kings On Sun, Feb 27, 2011 at 3:46 PM, LEE READE <[email protected]> wrote: it was just that the pg showed the user being authorised and put into exec mode directly r4:#, whereas mine you go into user exec r4:/ > >also, if you know the enable password you can just enable up to priv15, i just >thought the idea was that the user was restricted to the commands you make >available in the view? > >thanks > >LR > > > > > > ________________________________ From: Jerome Dolphin <[email protected]> >To: LEE READE <[email protected]> >Cc: [email protected] >Sent: Saturday, 26 February, 2011 22:52:57 >Subject: Re: [OSL | CCIE_Security] Security VOL1 5.7 Role Based CLI > > >Hi Lee, what sort of comments are you looking for? Is there a specific problem >or everything is working as expected? >Cheers, Jerome > > > > >On Sun, Feb 27, 2011 at 4:39 AM, LEE READE <[email protected]> wrote: > > >>aaa new-model >>aaa authentication login default none >>aaa authentication login con none >>aaa authentication login vty group radius >>aaa authentication enable default enable >>aaa authorization exec default group radius >> >>ip radius source-interface Loopback0 >>radius-server attribute 6 mandatory >>radius-server host 10.1.1.100 auth-port 1812 acct-port 1813 key ipexpert >>radius-server vsa send accounting >>radius-server vsa send authentication >> >>parser view limited >> secret 5 $1$mCJ5$Eoq3E30WEqDiBqGBpn9V.1 >> commands exec include show ip interface brief >> commands exec include show ip interface >> commands exec include show ip >> commands exec include show clock >> commands exec include show version >> commands exec include show logging >> commands exec include show >>! >>parser view limited2 >> secret 5 $1$N.IR$Fv0Jk7IkFpdCuCpCDXsb.. >> commands exec include ping >> commands exec include all show interfaces >> commands exec include show >>! >>parser view super >> secret 5 $1$WWuS$oOrY4mkKRrCFkwpA7NHdn0 >> commands interface include shutdown >> commands interface include no shutdown >> commands interface include no >> commands configure include interface >> commands exec include configure terminal >> commands exec include configure >> commands exec include all show >> commands configure include interface FastEthernet0/1.49 >>! >>parser view super-user superview >> secret 5 $1$mP4v$Hn1PdYa2Dt7c66/flrGDU1 >> view limited >> view limited2 >> view super >> >>debug radius and author- >> >>R4# >>Feb 26 17:37:42.773: AAA/BIND(00000013): Bind i/f >>Feb 26 17:37:42.773: RADIUS/ENCODE(00000013): ask "Username: " >>Feb 26 17:37:42.773: RADIUS/ENCODE(00000013): send packet; GET_USER >>R4# >>Feb 26 17:37:45.789: RADIUS/ENCODE(00000013): ask "Password: " >>Feb 26 17:37:45.789: RADIUS/ENCODE(00000013): send packet; GET_PASSWORD >>Feb 26 17:37:47.541: RADIUS/ENCODE(00000013):Orig. component type = EXEC >>Feb 26 17:37:47.541: RADIUS/ENCODE(00000013): dropping service type, >>"radius-server attribute 6 on-for-login-auth" is off >>Feb 26 17:37:47.541: RADIUS(00000013): Config NAS IP: 4.4.4.4 >>Feb 26 17:37:47.541: RADIUS/ENCODE(00000013): acct_session_id: 17 >>Feb 26 17:37:47.541: RADIUS(00000013): sending >>Feb 26 17:37:47.545: RADIUS(00000013): Send Access-Request to 10.1.1.100:1812 >id >>1645/17, len 85 >>Feb 26 17:37:47.545: RADIUS: authenticator A4 BD 3C 00 D9 59 48 20 - 41 16 AA >>18 6F 13 B0 D4 >>Feb 26 17:37:47.545: RADIUS: User-Name [1] 9 "limited" >>Feb 26 17:37:47.545: RADIUS: User-Password [2] 18 * >>Feb 26 17:37:47.545: RADIUS: NAS-Port [5] 6 >>514 >> >>Feb 26 17:37:47.545: RADIUS: NAS-Port-Id [87] 8 "tty514" >> >>R4#Feb 26 17:37:47.545: RADIUS: NAS-Port-Type [61] 6 >>Virtual [5] >>Feb 26 17:37:47.545: RADIUS: Calling-Station-Id [31] 12 "10.1.1.100" >>Feb 26 17:37:47.545: RADIUS: NAS-IP-Address [4] 6 >>4.4.4.4 >> >>Feb 26 17:37:47.553: RADIUS: Received from id 1645/17 10.1.1.100:1812, >>Access-Accept, len 91 >>Feb 26 17:37:47.553: RADIUS: authenticator AC DF 7E 66 06 DD 8B B6 - 92 60 AF >>36 7B FC 2A 69 >>Feb 26 17:37:47.553: RADIUS: Framed-IP-Address [8] 6 >>255.255.255.255 >> >>Feb 26 17:37:47.553: RADIUS: Vendor, Cisco [26] 35 >>Feb 26 17:37:47.553: RADIUS: Cisco AVpair [1] 29 >>"shell:cli-view-name=limited" >>Feb 26 17:37:47.557: RADIUS: Service-Type [6] 6 NAS >>Prompt [7] >>Feb 26 17:37:47.557: RADIUS: Class [25] 24 >>Feb 26 17:37:47.557: RADIUS: 43 41 43 53 3A 30 2F 39 34 65 2F 34 30 34 30 34 >>[CACS:0/94e/40404] >>Feb 26 17:37:47.557: RADIUS: 30 34 2F 35 31 34 >>[04/514] >>Feb 26 17:37:47.557: RADIUS(00000013): Received from id 1645/17 >>Feb 26 17:37:47.557: AAA/AUTHOR/EXEC(00000013): processing AV >>cli-view-name=limited >>Feb 26 17:37:47.557: AAA/AUTHOR/EXEC(00000013): processing AV service-type=7 >>Feb 26 17:37:47.561: AAA/AUTHOR/EXEC(00000013): Authorization successf >> >>as you can see it is being placed into the correct view, and show parser view >on >>telnet client confirms this. >> >>apreciate any comments.. >> >>thanks >> >>LR >> >>_______________________________________________ >>For more information regarding industry leading CCIE Lab training, please >>visit >>www.ipexpert.com >> > >_______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit >www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
