Solved: Re: Role Based Cli Access - Allow all global configuation commands

Yasmeen · ‎05-08-2019

Hi Team,

I have configured role based Cli on my Lab Cisco switch, In that I need to give all access in global configuration mode,

The user can configure all the available commands in global configuration Mode
help me to configure that commands on parser view
cisco(config)# <allow all the commands >

Thanks in Advance,

Yasmeen Shaul Hameed.

Georg Pauwen · ‎05-09-2019

Hello,

if you want to use role based access, I am afraid you have no other choice but to list each single command. I have put together the template below which you can use. Interfaces GigabitEthernet0/0 and 0/1 are excluded, these would be your uplinks, and the user would not be able to configure these:

username support_1 privilege 15 view SUPPORT_1 secret supportpassword
!
parser view SUPPORT_1
secret supportpassword
commands configure exclude interface GigabitEthernet0/0
commands configure exclude interface GigabitEthernet0/1
commands exec include configure terminal
commands configure include all alias
commands configure include all access-list
commands configure include all alps
commands configure include all access-session
commands configure include all aaa
commands configure include all ancp
commands configure include all apollo
commands configure include all appletalk
commands configure include all arap
commands configure include all archive
commands configure include all arp
commands configure include all async-bootp
commands configure include all authentication
commands configure include all auto
commands configure include all autoconf
commands configure include all banner
commands configure include all beep
commands configure include all bfd
commands configure include all bfd-template
commands configure include all boot
commands configure include all bridge
commands configure include all bridge-domain
commands configure include all bstun
commands configure include all buffers
commands configure include all busy-message
commands configure include all captive-portal-bypass
commands configure include all cdp
commands configure include all cef
commands configure include all chat-script
commands configure include all class-map
commands configure include all clns
commands configure include all clock
commands configure include all cns
commands configure include all configuration
commands configure include all connect
commands configure include all control-plane
commands configure include all crypto
commands configure include all decnet
commands configure include all default
commands configure include all default-value
commands configure include all define
commands configure include all device-sensor
commands configure include all dialer
commands configure include all dialer-list
commands configure include all dlsw
commands configure include all dnsix-dmdp
commands configure include all dnsix-nat
commands configure include all do-exec
commands configure include all dot1x
commands configure include all downward-compatible-config
commands configure include all dspu
commands configure include all eap
commands configure include all energywise
commands configure include all epm
commands configure include all errdisable
commands configure include all ethernet
commands configure include all event
commands configure include all exception
commands configure include all exit
commands configure include all fallback
commands configure include all fhrp
commands configure include all file
commands configure include all flow
commands configure include all flow-sampler-map
commands configure include all format
commands configure include all frame-relay
commands configure include all global-address-family
commands configure include all help
commands configure include all hostname
commands configure include all hw-module
commands configure include all id-manager
commands configure include all identity
commands configure include all interface
commands configure include all ip
commands configure include all ipc
commands configure include all ipv6
commands configure include all isis
commands configure include all kerberos
commands configure include all key
commands configure include all keymap
commands configure include all kron
commands configure include all l2
commands configure include all l2protocol-tunnel
commands configure include all l2tp
commands configure include all l2tp-class
commands configure include all lacp
commands configure include all lat
commands configure include all li-view
commands configure include all lnm
commands configure include all locaddr-priority-list
commands configure include all location
commands configure include all logging
commands configure include all login
commands configure include all login-string
commands configure include all mab
commands configure include all mac
commands configure include all macro
commands configure include all map-class
commands configure include all map-list
commands configure include all mediatrace
commands configure include all memory
commands configure include all memory-size
commands configure include all menu
commands configure include all metadata
commands configure include all modemcap
commands configure include all monitor
commands configure include all mpls
commands configure include all multilink
commands configure include all ncia
commands configure include all netbios
commands configure include all netconf
commands configure include all nmsp
commands configure include all no
commands configure include all ntp
commands configure include all object-group
commands configure include all onep
commands configure include all parameter-map
commands configure include all parser
commands configure include all partition
commands configure include all passthru-domain-list
commands configure include all password
commands configure include all pnp
commands configure include all policy-map
commands configure include all port-channel
commands configure include all port-security
commands configure include all priority-list
commands configure include all privilege
commands configure include all process
commands configure include all process-max-time
commands configure include all prompt
commands configure include all pseudowire-class
commands configure include all qos
commands configure include all queue-list
commands configure include all regexp
commands configure include all resource
commands configure include all resume-string
commands configure include all rif
commands configure include all rlogin
commands configure include all route-map
commands configure include all route-tag
commands configure include all router
commands configure include all rsrb
commands configure include all sampler
commands configure include all sap-priority-list
commands configure include all sasl
commands configure include all scheduler
commands configure include all scripting
commands configure include all service
commands configure include all service-instance
commands configure include all service-list
commands configure include all service-policy
commands configure include all service-routing
commands configure include all service-template
commands configure include all shell
commands configure include all shutdown
commands configure include all smrp
commands configure include all sna
commands configure include all snmp
commands configure include all snmp-server
commands configure include all source
commands configure include all source-bridge
commands configure include all spanning-tree
commands configure include all stacks
commands configure include all standby
commands configure include all state-machine
commands configure include all stun
commands configure include all subscriber-policy
commands configure include all table-map
commands configure include all tacacs-server
commands configure include all tarp
commands configure include all template
commands configure include all terminal-queue
commands configure include all tftp-server
commands configure include all time-range
commands configure include all tn3270
commands configure include all track
commands configure include all translate
commands configure include all ttycap
commands configure include all ttyscan
commands configure include all udld
commands configure include all user-name
commands configure include all username
commands configure include all vines
commands configure include all virtual-profile
commands configure include all virtual-template
commands configure include all vlan
commands configure include all vrf
commands configure include all vtp
commands configure include all vty-async
commands configure include all wsma
commands configure include all x25
commands configure include all x29
commands configure include all xconnect
commands configure include all xremote

View solution in original post

balaji.bandi · ‎05-08-2019

Unlike ACS/ISE. in Role base ACL (RBAC) you have limited functions available.

you can add Manually assign certain commands to certain privilege levels, then assign those levels to a user.

By default, only three of the 16 levels are in use.

Privilege 0 - access to almost nothing
Privilege 1 - Access to basic non-configuration commands, commonly known as "user exec"
Privilege 15 - Access to everything, commonly known as "privilege exec"

That leaves 2-14 for customization!

Old reference guide IOS based :

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

XE based

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-role-base-cli.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yasmeen · ‎05-08-2019

I need Role based access commands not privilege level access restriction
Already i tried privilege level not supported to my setup
so that i configured role based cli with root view, user view
in that user view want to configure all privilege level commands
my AIM is to be protect uplink interfaces to be safe
except uplink interface i want to allow all remaining commands on cisco switch

balaji.bandi · ‎05-09-2019

Did you get chance to look the URL which i was referred in the old post.

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎05-09-2019

Hello,

if you want to use role based access, I am afraid you have no other choice but to list each single command. I have put together the template below which you can use. Interfaces GigabitEthernet0/0 and 0/1 are excluded, these would be your uplinks, and the user would not be able to configure these:

username support_1 privilege 15 view SUPPORT_1 secret supportpassword
!
parser view SUPPORT_1
secret supportpassword
commands configure exclude interface GigabitEthernet0/0
commands configure exclude interface GigabitEthernet0/1
commands exec include configure terminal
commands configure include all alias
commands configure include all access-list
commands configure include all alps
commands configure include all access-session
commands configure include all aaa
commands configure include all ancp
commands configure include all apollo
commands configure include all appletalk
commands configure include all arap
commands configure include all archive
commands configure include all arp
commands configure include all async-bootp
commands configure include all authentication
commands configure include all auto
commands configure include all autoconf
commands configure include all banner
commands configure include all beep
commands configure include all bfd
commands configure include all bfd-template
commands configure include all boot
commands configure include all bridge
commands configure include all bridge-domain
commands configure include all bstun
commands configure include all buffers
commands configure include all busy-message
commands configure include all captive-portal-bypass
commands configure include all cdp
commands configure include all cef
commands configure include all chat-script
commands configure include all class-map
commands configure include all clns
commands configure include all clock
commands configure include all cns
commands configure include all configuration
commands configure include all connect
commands configure include all control-plane
commands configure include all crypto
commands configure include all decnet
commands configure include all default
commands configure include all default-value
commands configure include all define
commands configure include all device-sensor
commands configure include all dialer
commands configure include all dialer-list
commands configure include all dlsw
commands configure include all dnsix-dmdp
commands configure include all dnsix-nat
commands configure include all do-exec
commands configure include all dot1x
commands configure include all downward-compatible-config
commands configure include all dspu
commands configure include all eap
commands configure include all energywise
commands configure include all epm
commands configure include all errdisable
commands configure include all ethernet
commands configure include all event
commands configure include all exception
commands configure include all exit
commands configure include all fallback
commands configure include all fhrp
commands configure include all file
commands configure include all flow
commands configure include all flow-sampler-map
commands configure include all format
commands configure include all frame-relay
commands configure include all global-address-family
commands configure include all help
commands configure include all hostname
commands configure include all hw-module
commands configure include all id-manager
commands configure include all identity
commands configure include all interface
commands configure include all ip
commands configure include all ipc
commands configure include all ipv6
commands configure include all isis
commands configure include all kerberos
commands configure include all key
commands configure include all keymap
commands configure include all kron
commands configure include all l2
commands configure include all l2protocol-tunnel
commands configure include all l2tp
commands configure include all l2tp-class
commands configure include all lacp
commands configure include all lat
commands configure include all li-view
commands configure include all lnm
commands configure include all locaddr-priority-list
commands configure include all location
commands configure include all logging
commands configure include all login
commands configure include all login-string
commands configure include all mab
commands configure include all mac
commands configure include all macro
commands configure include all map-class
commands configure include all map-list
commands configure include all mediatrace
commands configure include all memory
commands configure include all memory-size
commands configure include all menu
commands configure include all metadata
commands configure include all modemcap
commands configure include all monitor
commands configure include all mpls
commands configure include all multilink
commands configure include all ncia
commands configure include all netbios
commands configure include all netconf
commands configure include all nmsp
commands configure include all no
commands configure include all ntp
commands configure include all object-group
commands configure include all onep
commands configure include all parameter-map
commands configure include all parser
commands configure include all partition
commands configure include all passthru-domain-list
commands configure include all password
commands configure include all pnp
commands configure include all policy-map
commands configure include all port-channel
commands configure include all port-security
commands configure include all priority-list
commands configure include all privilege
commands configure include all process
commands configure include all process-max-time
commands configure include all prompt
commands configure include all pseudowire-class
commands configure include all qos
commands configure include all queue-list
commands configure include all regexp
commands configure include all resource
commands configure include all resume-string
commands configure include all rif
commands configure include all rlogin
commands configure include all route-map
commands configure include all route-tag
commands configure include all router
commands configure include all rsrb
commands configure include all sampler
commands configure include all sap-priority-list
commands configure include all sasl
commands configure include all scheduler
commands configure include all scripting
commands configure include all service
commands configure include all service-instance
commands configure include all service-list
commands configure include all service-policy
commands configure include all service-routing
commands configure include all service-template
commands configure include all shell
commands configure include all shutdown
commands configure include all smrp
commands configure include all sna
commands configure include all snmp
commands configure include all snmp-server
commands configure include all source
commands configure include all source-bridge
commands configure include all spanning-tree
commands configure include all stacks
commands configure include all standby
commands configure include all state-machine
commands configure include all stun
commands configure include all subscriber-policy
commands configure include all table-map
commands configure include all tacacs-server
commands configure include all tarp
commands configure include all template
commands configure include all terminal-queue
commands configure include all tftp-server
commands configure include all time-range
commands configure include all tn3270
commands configure include all track
commands configure include all translate
commands configure include all ttycap
commands configure include all ttyscan
commands configure include all udld
commands configure include all user-name
commands configure include all username
commands configure include all vines
commands configure include all virtual-profile
commands configure include all virtual-template
commands configure include all vlan
commands configure include all vrf
commands configure include all vtp
commands configure include all vty-async
commands configure include all wsma
commands configure include all x25
commands configure include all x29
commands configure include all xconnect
commands configure include all xremote

Yasmeen · ‎05-09-2019

Hi Georg Pauwen,
Thank You so much to share this commands, it really useful, i can able to access 99 % of commands on global configuration mode,
Thank You once again

regards,
Yasmeen Shaul Hameed.

Georg Pauwen · ‎05-09-2019

Hello,

I used a 15.2 based IOS switch for the commands, newer (or XE) versions might have more, or slightly different ones, so you might need to alter the list depending on which switch you have.

paul driver · ‎05-09-2019

Hello

+5 for that @Georg Pauwen wasn't aware of parser views,seems to be much more granular than privilege commands

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎05-09-2019

Hello

@Yasmeen wrote:
I need Role based access commands not privilege level access restriction
Already i tried privilege level not supported to my setup
so that i configured role based cli with root view, user view
in that user view want to configure all privilege level commands
my AIM is to be protect uplink interfaces to be safe
except uplink interface i want to allow all remaining commands on cisco switch

You can either negate or limit cli interface access or not however as far as i am aware you cannot specify specific individual interfaces for your user view role can access.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul