cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
2
Replies

RBAC - associate user to view confusion

kst.amand
Level 1
Level 1

Attemptiong to associate usernames with specific views once they login.

Views have been successfully created and associated with username, but when the user logs in - they have to enter "ena view xxxx" before the view applies to them.

My understanding from readin the RBAC material is once the user logs in, they would automatically be under the control or into that view mode.

Environment;

ISR Routers - 1800, 2800, 3800

IOS - Advipservices

Ver - 12.4(22)T

AAA - No ACS, TACACS+, or RADIUS -- just AAA New-Model

What am I missing??

Config Snippet

aaa new-model

!

!

aaa authentication login default local

aaa authentication login console local

aaa authentication login vty local

aaa authentication login local_auth local

!

!

username nocoper view NOCOPER password 7 045504050031495C49

!

!

parser view NOCOPER

secret 5 $1$mUXP$w1Oqpr/rCvkhjcviGfkE8.

commands configure include-exclusive line

commands configure exclude interface

commands exec include configure terminal

commands exec include configure

commands exec include show running-config

commands exec include show

2 Replies 2

vmoopeung
Level 5
Level 5

Users can be associated with a local CLI View by a return attribute from AAA or in local Authentication configuration. For local configuration, the username is configured with an additional view option, which matches the configured parser view name. These example users are configured for the default SDM Views:

username fw-user privilege [privilege-level] view SDM_Firewall

username monitor-user privilege [privilege-level] view SDM_Monitor

username vpn-user privilege [privilege-level] view SDM_EasyVPN_Remote

username sdm-root privilege [privilege-level] view rootUsers who are assigned to a given view can temporarily switch to another view if they have the password for the view that they want to enter. Issue this exec command in order to change views:

enable view view-name

hello,

You have to add the authorization command :

aaa authorization exec default local

thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: