Cisco routers are doing so many more things today other than routing that I frequently get asked how can I give such and such group limited, specific access to my router? A common example of this I run into is a customer has routers that are running multiple services: firewall, IPS, VPN, QoS, Voice Gateway, oh and of course routing. The network team typically owns exclusive admin privileges to the router but is frequently in need of providing other groups with limited, controlled access to their gear. The security team wants access to the IPS configuration, the voice group wants access to the voice gateway, the NOC support guys want access for troubleshooting, etc. etc. The bottom line is folks want to know how to configure their cisco routers to perform easy, yet granular, role-based access control.
My guess is you IOS jockeys out there already know about privilege levels and assigning commands to a privilege level and assigning the levels to groups/users. Yep, that works. But there is a better way. It is called CLI Views (also known as role-based CLI Access feature) and has been around since 12.3(7)T IOS release.
CLI Views restrict access to the CLI command set and interfaces available to a member of that view. A view can define what commands are accepted and what configuration information is visible from what interface. You can configure up to 15 CLI views on a router, way more than you should consider using. In most environments you will use your AAA server to assign views to users and groups. A new AAA attribute "cli-view-name" has been created for this purpose.
There are 4 types of views: CLI view, root view, super view and lawful intercept view. A cli view is where you configure up your view policy for a particular role. A root view is the mode you must be in on the router in order to configure a cli view (priv 15 doesn't cut it). A super view is a collection and merging of multiple cli views. You then can assign the super view to users or groups. The lawful intercept view is reserved for the specific use of that feature; check the docs for more info if you are interested.
OK, lets get into it. Here is how you configure CLI Views on a Cisco IOS router.
!you must enable AAA. Be sure you have a local username configured before you do !this and your VTY is setup right so you don't get locked out.
!Jump into the root view so you can configure a CLI view
!create a new view
OurHouse(config)#parser view security-IPS
!Create a password for this view
!add commands or interfaces to the CLI view
! exclude Exclude the command from the view
! include Add command to the view
! include-exclusive Include only in this view but exclude from other views
OurHouse(config-view)#commands exec include configure terminal
OurHouse(config-view)#commands configure include ip ips
OurHouse(config-view)#commands exec include show ips
OurHouse(config-view)#commands interface include fa1/3
!Create a super view and attach multiple CLI Views
OurHouse(config)#parser view security-group superview
!To see what views are configured or the view you are in
OurHouse#show parser view all
!To test or go to a view
enable view security-group
CLI Views Documentation:
Let me know about your experiences with CLI views.
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>
Go to Jamey’s Blog for more articles on security.