“welcome” or any other familiar greeting that may
be misconstrued as an invitation to use the network. Banners
are disabled by default and must be explicitly enabled by the
administrator. As shown in Figure , use the banner
command from global configuration mode to specify appropriate
messages. Figure shows the command syntax and an example.
Figure shows the parameters for the banner command.
There are four valid tokens that you can use within the
message section of the banner command:
- $(hostname): Displays the hostname for the
router
- $(domain): Displays the domain name for
the router
- $(line): Displays the vty or tty
(asynchronous) line number
- $(line-desc):
Displays the description attached to the line
Content 5.6 Configuring Role-Based
CLI 5.6.1 Role-Based CLI Overview Although
users can control CLI access via both privilege levels and
enable mode passwords, these functions do not provide the
necessary level of detail needed when working with Cisco IOS
routers and switches. The Role-Based CLI Access feature allows
you to define “views,” which are a set of operational commands
and configuration capabilities that provide selective or
partial access to Cisco IOS EXEC and configuration mode
commands. Views restrict user access to Cisco IOS CLI and
configuration information; that is, a view can define what
commands are accepted and what configuration information is
visible. CLI views provide a more detailed access control
capability for network administrators, thereby improving the
overall security and accountability of Cisco IOS software. As
of Cisco IOS Release 12.3(11)T, you can also specify an
interface or a group of interfaces to a view, thereby allowing
access on the basis of specified interfaces. Access to a view
is protected with a password. This protection is similar to the
concept that the privilege levels use. To simplify the view
management, views can be grouped to superviews to create large
sets of commands and interfaces. A superview encompasses
several individual views, resulting in wider administrative
privileges. Figure summarizes this overview. Role-Based CLI
Details
Figure lists details of the role-based CLI
feature. When a system is in root view, it has all of the
access privileges as a user who has level 15 privileges. If you
wish to configure any view to the system, the system must be in
root view. The difference between a user who has level 15
privileges and a root view user is that a root view user can
configure a new view and add or remove commands from the view.
When you are in a CLI view, you only have access to the
commands that have been added to that view by the root view
user. View authentication can be performed by an external AAA
server via the new cli-view-name attribute. AAA
authentication associates only one view name to a particular
user; that is, only one view name can be configured for a user
in an authentication server. Note
AAA provides
access to an external user database that is used for
authentication, authorization, and accounting tasks. Without
the external AAA server, all network devices would need to
maintain a local copy of the user database, which may have a
severe impact on scalability and functionality of the system.
The maximum number of CLI views and superviews, including one
lawful intercept view, that can be configured is 15. (This does
not include the root view.) Like a CLI view, a lawful intercept
view restricts access to specified commands and configuration
information. Specifically, a lawful intercept view allows a
user to secure access to lawful intercept commands that are
held within the TAP-MIB, which is a special set of simple
network management protocol (SNMP) commands that store
information about calls and users.
Content
5.6 Configuring Role-Based CLI
5.6.2 Getting Started with Role-Based CLI
Figure describes the configuration steps that are related to
role-based CLI. Before you enter or create a view, you must
enable AAA via the aaa new-model command. Next, you use
the enable command with the view parameter to enter the
root view. You are prompted for authentication, if
authentication is configured. Use the privilege 15 password.
Note
If AAA is not enabled, you will receive this
error message: router#enable view
% AAA must be
configured Figure describes the parameters for the
enable command.
Content 5.6
Configuring Role-Based CLI 5.6.3
Configuring CLI Views After aaa new-model has been
enabled and you enter the root view, create a view and enter
the view configuration mode using the parser view
command shown in Figure . You need to specify the name of the
view that you want to create or the existing view that you want
to modify. Next, protect access to the CLI view with a secret
using the password command. The only available
encryption algorithm is MD5, represented by the number 5 in the
first parameter field. Then provide a password that will be
required to enter this view. You must issue this command before
you can configure additional attributes for the view. Finally,
add commands or interfaces to a view using the commands
command. Figure describes the parameters for the
commands command.
Content 5.6
Configuring Role-Based CLI 5.6.4
Configuring Superviews Role-based CLI facilitates the
concept of grouping CLI views into view supersets, called
superviews. A superview consists of one or more CLI views,
which allow users to define which commands are accepted and
what configuration information is visible. Superviews allow you
to easily assign all users within configured CLI views to a
superview instead of having to assign multiple CLI views to a
group of users. Superviews have these characteristics:
- A CLI view can be shared among multiple superviews.
- Commands cannot be configured for a superview; that is,
you must add commands to the CLI view and add that CLI view to
the superview.
- Users who are logged in to a superview
can access all of the commands that are configured for any of
the CLI views that are part of the superview.
- Each
superview has a password that is used to switch between
superviews or from a CLI view to a superview.
- If a
superview is deleted, all CLI views associated with that
superview are not also deleted.
To configure a
superview, use the parser view command, shown in Figure
, and configure a password for that superview. Then, add a
normal CLI view to the superview using the view command.
Issue this command for each CLI view that you want be add to
the superview. Note
Before adding a CLI view to a
superview, ensure that the CLI views that are added to the
superview are valid views in the system; that is, the views
have been successfully created via the parser view
command.
Content 5.6 Configuring
Role-Based CLI 5.6.5 Role-Based CLI
Monitoring When monitoring role-based CLI, use the command
show parser view to display information about the view
that the user is currently in. The option all displays
information for all views configured on the router. Figure
shows the command syntax for the show parser view
command. Note
The all keyword is available
only to root users. However, the all keyword can be
configured by a user in root view to be available for users in
any CLI view. To display debug messages for all views, use the
debug parser view command in privileged EXEC mode.
Content 5.6 Configuring Role-Based
CLI 5.6.6 Role-Based CLI Configuration
Example In the example shown in Figure , the CLI view
first is created and configured to include the commands
show version, configure terminal, and all