Role Based CLI Access

Posted by Rene Molenaar October 5, 2011 in Security

Scenario:

As the security specialist for your company you want to ensure employees don’t get more access than they need to. At this moment everyone is logging in using privilege level 15 for your routers and you want to ensure this doesn’t happen anymore in the future.

Goals:

All IP addresses have been preconfigure for you.
Configure a role called “TRAINEE” on router Rollin.
Role “TRAINEE” should be able to change the IP address on loopback0.
Configure a role called “DEBUG” on router Rollin.
Role “DEBUG” should be able to use all debug commands.
Configure a role called “ALLMIGHTY” on router Rollin.
Role “ALLMIGHTY” should be able to do whatever role “TRAINEE” and ” DEBUG” can do.
To authenticate the roles you should use password “VAULT”.

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

Role Based CLI Access

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

Master CCNA and CCNP Today!

ccie-rs security

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

3 Comments

Steve Occh says:

November 20, 2011 at 22:58

You can do this by setting up specific privilege levels and associating specific privilege levels with specific commands

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfpass.html#wp1017387
habib says:

December 1, 2014 at 17:57

Hello dear Rene
My problem with Role Base CLI

I just want to an access to configure router OSPF
I created view OSPF-TUNE

————————————-
parser view OSPF-TUNE

R1(config-view)#commands exec include configure terminal

R1(config-view)#commands configure include router ospf

————————————

But when I entered the OSPF-TUNE

R1#?
Exec commands:
configure Enter configuration mode
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#?
Configure commands:
do To run exec commands in config mode
exit Exit from configure mode
router Enable a routing process

I just want to an access to configure router OSPF But…

R1(config)#router ?
bgp Border Gateway Protocol (BGP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)

Please Help Me…
1. Nicholas Russo says:
  
  December 6, 2014 at 23:57
  
  What happens if you try to configure BGP or RIP? I believe on 12.4T, the option may present itself, but you cannot execute the command. IT’s been a long time, have not tested in awhile.

Comments are closed.