Without using enable 15 password, just enter "configure ter" in user exec mode, when you are logged in using the CLI view user.
With regards Kings On Sun, Feb 27, 2011 at 9:34 PM, LEE READE <[email protected]> wrote: > i could do anything i wanted, ie priv 15. > > hence why i didnt think it was correct.. > > thanks > > LR > > ------------------------------ > *From:* Kingsley Charles <[email protected]> > > *To:* LEE READE <[email protected]> > *Cc:* Jerome Dolphin <[email protected]>; > [email protected] > *Sent:* Sunday, 27 February, 2011 15:37:05 > > *Subject:* Re: [OSL | CCIE_Security] Security VOL1 5.7 Role Based CLI > > Just type "configure ter" and hit enter in the user mode, what do you see? > > > With regards > Kings > > On Sun, Feb 27, 2011 at 3:46 PM, LEE READE <[email protected]>wrote: > >> it was just that the pg showed the user being authorised and put into exec >> mode directly r4:#, whereas mine you go into user exec r4:/ >> >> also, if you know the enable password you can just enable up to priv15, i >> just thought the idea was that the user was restricted to the commands you >> make available in the view? >> >> thanks >> >> LR >> >> >> ------------------------------ >> *From:* Jerome Dolphin <[email protected]> >> *To:* LEE READE <[email protected]> >> *Cc:* [email protected] >> *Sent:* Saturday, 26 February, 2011 22:52:57 >> *Subject:* Re: [OSL | CCIE_Security] Security VOL1 5.7 Role Based CLI >> >> Hi Lee, what sort of comments are you looking for? Is there a specific >> problem or everything is working as expected? >> Cheers, Jerome >> >> >> >> On Sun, Feb 27, 2011 at 4:39 AM, LEE READE <[email protected]>wrote: >> >>> >>> aaa new-model >>> aaa authentication login default none >>> aaa authentication login con none >>> aaa authentication login vty group radius >>> aaa authentication enable default enable >>> aaa authorization exec default group radius >>> >>> ip radius source-interface Loopback0 >>> radius-server attribute 6 mandatory >>> radius-server host 10.1.1.100 auth-port 1812 acct-port 1813 key ipexpert >>> radius-server vsa send accounting >>> radius-server vsa send authentication >>> >>> parser view limited >>> secret 5 $1$mCJ5$Eoq3E30WEqDiBqGBpn9V.1 >>> commands exec include show ip interface brief >>> commands exec include show ip interface >>> commands exec include show ip >>> commands exec include show clock >>> commands exec include show version >>> commands exec include show logging >>> commands exec include show >>> ! >>> parser view limited2 >>> secret 5 $1$N.IR$Fv0Jk7IkFpdCuCpCDXsb.. >>> commands exec include ping >>> commands exec include all show interfaces >>> commands exec include show >>> ! >>> parser view super >>> secret 5 $1$WWuS$oOrY4mkKRrCFkwpA7NHdn0 >>> commands interface include shutdown >>> commands interface include no shutdown >>> commands interface include no >>> commands configure include interface >>> commands exec include configure terminal >>> commands exec include configure >>> commands exec include all show >>> commands configure include interface FastEthernet0/1.49 >>> ! >>> parser view super-user superview >>> secret 5 $1$mP4v$Hn1PdYa2Dt7c66/flrGDU1 >>> view limited >>> view limited2 >>> view super >>> >>> debug radius and author- >>> >>> R4# >>> Feb 26 17:37:42.773: AAA/BIND(00000013): Bind i/f >>> Feb 26 17:37:42.773: RADIUS/ENCODE(00000013): ask "Username: " >>> Feb 26 17:37:42.773: RADIUS/ENCODE(00000013): send packet; GET_USER >>> R4# >>> Feb 26 17:37:45.789: RADIUS/ENCODE(00000013): ask "Password: " >>> Feb 26 17:37:45.789: RADIUS/ENCODE(00000013): send packet; GET_PASSWORD >>> Feb 26 17:37:47.541: RADIUS/ENCODE(00000013):Orig. component type = EXEC >>> Feb 26 17:37:47.541: RADIUS/ENCODE(00000013): dropping service type, >>> "radius-server attribute 6 on-for-login-auth" is off >>> Feb 26 17:37:47.541: RADIUS(00000013): Config NAS IP: 4.4.4.4 >>> Feb 26 17:37:47.541: RADIUS/ENCODE(00000013): acct_session_id: 17 >>> Feb 26 17:37:47.541: RADIUS(00000013): sending >>> Feb 26 17:37:47.545: RADIUS(00000013): Send Access-Request to >>> 10.1.1.100:1812 id >>> 1645/17, len 85 >>> Feb 26 17:37:47.545: RADIUS: authenticator A4 BD 3C 00 D9 59 48 20 - 41 >>> 16 AA >>> 18 6F 13 B0 D4 >>> Feb 26 17:37:47.545: RADIUS: User-Name [1] 9 "limited" >>> Feb 26 17:37:47.545: RADIUS: User-Password [2] 18 * >>> Feb 26 17:37:47.545: RADIUS: NAS-Port [5] 6 >>> 514 >>> >>> Feb 26 17:37:47.545: RADIUS: NAS-Port-Id [87] 8 "tty514" >>> >>> R4#Feb 26 17:37:47.545: RADIUS: NAS-Port-Type [61] 6 >>> Virtual [5] >>> Feb 26 17:37:47.545: RADIUS: Calling-Station-Id [31] 12 "10.1.1.100" >>> Feb 26 17:37:47.545: RADIUS: NAS-IP-Address [4] 6 >>> 4.4.4.4 >>> >>> Feb 26 17:37:47.553: RADIUS: Received from id 1645/17 10.1.1.100:1812, >>> Access-Accept, len 91 >>> Feb 26 17:37:47.553: RADIUS: authenticator AC DF 7E 66 06 DD 8B B6 - 92 >>> 60 AF >>> 36 7B FC 2A 69 >>> Feb 26 17:37:47.553: RADIUS: Framed-IP-Address [8] 6 >>> 255.255.255.255 >>> >>> Feb 26 17:37:47.553: RADIUS: Vendor, Cisco [26] 35 >>> Feb 26 17:37:47.553: RADIUS: Cisco AVpair [1] 29 >>> "shell:cli-view-name=limited" >>> Feb 26 17:37:47.557: RADIUS: Service-Type [6] 6 NAS >>> Prompt [7] >>> Feb 26 17:37:47.557: RADIUS: Class [25] 24 >>> Feb 26 17:37:47.557: RADIUS: 43 41 43 53 3A 30 2F 39 34 65 2F 34 30 34 >>> 30 34 >>> [CACS:0/94e/40404] >>> Feb 26 17:37:47.557: RADIUS: 30 34 2F 35 31 34 >>> [04/514] >>> Feb 26 17:37:47.557: RADIUS(00000013): Received from id 1645/17 >>> Feb 26 17:37:47.557: AAA/AUTHOR/EXEC(00000013): processing AV >>> cli-view-name=limited >>> Feb 26 17:37:47.557: AAA/AUTHOR/EXEC(00000013): processing AV >>> service-type=7 >>> Feb 26 17:37:47.561: AAA/AUTHOR/EXEC(00000013): Authorization successf >>> >>> as you can see it is being placed into the correct view, and show parser >>> view on >>> telnet client confirms this. >>> >>> apreciate any comments.. >>> >>> thanks >>> >>> LR >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
