Cisco CCIE Security 350-701 – AAA Authorization Part 4

6. RBAC Views – Types

Now, in this section we’ll try to understand what are the different types of views we have and then what exactly they do. So before we assign any specific commands, we need to create the views. So unlike privilege levels, we don’t have any limitations. So here mainly there are two views called root view and the CLI view. Now, root view is just like a master view where we can make all all the changes just like privilege of 15. So if you want to assign any specific user with a specific commands, what they should execute, you must have full permissions. Just like that we have a root view.

Now, this route view is just like having full permissions and if you want to create a new view, let’s say I want to create a security engineer view and I want to associate all the commands relating to security and also I want to associate specific commands to the security view. So if you want to create any new view or if you want to assign any specific commands, you must log into the root view and you can log in with some enable view command. And of course for this you must have Enable Passport configured and triple A must be enabled.

We’ll talk about that when we get into the specific configurations and you can verify that you are with this command show parser view and you must be logged in with a root view. Now, the CLI view is nothing but the views which we are going to create. Like I want to create a new view with a security engineer so we can create a new view and we can associate a specific commands to that particular view. So likewise, I can also create another view like routing switching engineer and I can associate a specific commands to them. Now, these are the normal views. The normal views are referred as CLI views and to create these normal views, we must log into the root view as I said. So each view will be assigned as specific commands will be assigning.

And there’s no inheritance of the commands from one view to another view. Like whatever the commands you are assigning in the security view, these commands doesn’t inherit on the other views, unlike privilege levels. And we can also use specific commands in both of you, like maybe both the views should be able to execute showrun command. So we can still have some common commands in both the views, that’s not a problem, but it’s overall like a separate set of commands given in an individual view. So mainly we’ll be using a root view to create and manage the other views. CLA view is nothing but the individual views which are associated to the user accounts. So we have a special view called super view. Now, super view here we don’t associate any specific commands like here, commands cannot be configured here.

But this is just like you have a level three engineer and I want this level three engineer. So let’s say we created two views with a secret engineer one view and another view with a routing switching engineer. And also I created another view with some other view. Let’s say some VYP user, the administrator who is managing the VYP, the subway engineer. So I have my senior engineer, maybe a level three engineer. And this engineer is responsible for majorly for designing and he should be allowed access to all the specific commands in this views. He can do almost everything, something like that.

So we can create a user with a user like admin or any user account and we can associate this, we can create something like super view and inside the super view we’ll associate these three views. Which means we don’t assign specific commands in the SuperView, but the super view is just like have access to like whatever the commands available on multiple views. Those specific commands can be available in the super view as well.

7. RBAC Views – LAB1

This video will try to verify the basic role based access controlled views with a basic example here. So like in this example, I’m going to configure the views by using local authorization. So I’m going to create a custom view with a name called l one engineer. And of course, the password is engineered. One, two, three, let’s say. And I want this level one engineer should be assigned with the specific commands like ping, trace, whatever you see there. And then I’m going to create a user account with the user one. And then I’m going to associate this level of engineer view with that particular user. And then we’ll be verifying from router two by using Tenant option or maybe Tenant from the PC for testing purpose. Now, to make this possible, the configuration wise, these are the specific commands we need to add on the route of one. So the first thing, always make sure that we create an admin account with a privilege level of 15. So there’s something recommended because you don’t want to lock yourself because if you assign a privilege level and you enable some authentication authorization on the viva lines and you don’t want to restrict yourself in general.

And after that we are going to enable the triple A start the triple A process and then I’m going to use a default option. Default option ensures that it is automatically enabled on the VDY and the console lines. So which means I don’t need to go and enable the authentication authorization if I use a default option. Of course I can use any other name like CCI. But if you are using any other name for the list of authentications so I’m just using only local, we need to go to Vtwell line and enable this.

Like the commands are like light vtwire, we need to say login authentication and the name of the list and we need to say authorization, exec the name of the list. So I don’t want to apply it on the viva lines. But if you are using any other name, if you’re using name instead of the default option, we need to enable on the video lines and then we are going to create a views and to create the views we will be using something like these are the commands parcel views.

But before I create the views, let me just quickly show you some basic options. First, like on the router one, if I want to create a view first I should be present in the root view. So currently I’m not in the root view. So in order to go into the root view we need to give a command called enable view which I will say enable and if I just say enable you go to the normal mode but we had to say enable view. But the basic visit to log into the root view is you must have enable password configured. I think I don’t have enable password configured. So let me go and configure enable password. Let’s say nya just envoy and then I’m going to enable that subway.

So these are the two prerequisites for to log into the root view. And once I log into the root and now I can go and say enable view, I can enter the enable password. And once I enter the enable password, if you want to verify, we can use a command called show parts of view. It shows that the current view is the root. So you must log into the root view before you make any changes as I discussed in the earlier videos. So now you can create a new view. But before I create a new view, I just want to create one user account with the privilege level of 15 so that I don’t want to log myself. So admin one, two, three is the password. So enable the triple A and then I’m going to enable the triple A option.

So I got these commands in the notepad so I can use a copy paste from the note pad itself. These are the commands. So I’ve enabled the authentication by using the local option and also the authorization for execs enabled with the default local for the using the local authorization. Now the next thing is we need to create a user account. But before I create a user account, I’m going to create a view called parser view and the name of the view is like the parser view here and already I’m into the root view. So you must log into the root view first before you create any views.

So parts of you and then any password you can assign to this and after that we need to define the commands. So we define the commands are more like we do in the normal Ibis we can say command exec. So additionally we have an option of include and exclude.

So we can simply say include all show commands. So when I say include all show commands means automatically it will include all the show commands. So we don’t need to specifically define each and every individual show command. If I say include all router level commands, it will allow you to include all the router commands like router OSP or router EHRP or router BGP like that. Let’s say if you want to add any specific commands like except we can again go and add saying that exclude, we can say router BGP. So it will include all the router commands except this command.

So as I discussed, the privilege allows you to give it actually allows views to assign the specific commands in a more better and a flexible way. So there’s advantage. So at this point of time I’m just going with the very basic commands. I’m not using those advanced options but I’ll be using those options in the later form examples. So at this point of time I just want to assign the basic ping commands trace these are basic commands in the exec mode. Let me just quickly copy paste these things. Now, you can always use question marks. So let’s say if you are inside this view, we can always use question marks. So most of the command configuration will be based on similar to premium levels we use include export options. So for testing wise we need to associate this view with a user.

So we didn’t do that. So we need to go and configure create a user account. So let me just go and create a user account here, username user one and the view we need to associate the view and the name of the view is Level One. Engineer there’s a view name and the password. Let’s say the user wants the password and for testing wise, you can do two ways. Either you can log in with a user account and verify the configuration, that is one way or you can simply switch the view. So let me show you first switching the views. Like if you want to switch the views to test, just to confirm before I go ahead. So I’m going to say enable view, but I want to log into this view, switch to this view and the password whatever I have used here. So that’s my password. So once you give you the correct password, if you want to check in which view we are, so we can say show parcel view.

So the current view is level one. Engineer and you can see I cannot go to the global concentration mode because as for this view, I cannot use any of the config level commands. So I can still use specific commands like I can still ping to router two, let’s say the router route Two. I can still use Trace, I can still use Show running config to see the configurations but I cannot use Show startup configurations because that command is not defined, it’s not included in these views. I can still use Show IP interface brief, I can use Show version but I cannot use Show Flash. I can still use the Show Flash here. The Show Flash commands are allowed by default here. As for this configurations here, now I can either test this way or you can even go to router two or you can use Puti.

I can go to my computer and I can tell it to my router to log in with my specific user. This time I’m using user one and you can see I can use the specific commands like show run, I can still use Swipe interface brief. So now again the user when you say enable, of course if you know the enable password, you can still go to the next mode because this is based on the privilege levels again. But currently I can verify with a command called Show password view. This command should work and you can see it. You are currently assigned with the current view with a level one engineer. And you can actually use all the commands specifically mentioned in this view.