Cisco CCIE Security 350-701 – AAA Authorization Part 5

  1. Modify RBAC Views – LAB 2

Now, the next thing is I want to modify the existing user. Like the previously I have configured the user one with a level one views, level one engineer views. So I want to add some more commands to this particular user. Let’s say this user, the user one or any user who is associated with a level one engineered view can also make changes to the initial IP or IP VC service configurations and enable and disable the interface like shutting down and no shut on the commands. And also it should be able to save the configurations so we can add them additional commands like first we need to allow that particular user, that view to give privileges to enter into the global configuration mode.

And then here I’m specifying interface at zero by zero which means this particular view, the user associated to this view can only use interface at zero commands but not the other interfaces. And only on this interface you can make changes to the IP addresses and also shut down the interface and no shut down interface and finally save the configurations. So if I go to router one, I already configured these options here if I go and check on the section, if I say parser view only I have configured this command like here you can see this user can make changes IPV six services, shut down the interface and also can change IP address.

And also here if you see here I want to include the interface command at 0. 0 only and already this user verify the user account and this user is already associated with this l one engineer with the user one. So for verifying I’ll go to router two and I’ll try to log in with user one and the password is also user one and if I verify show parts of view to verify the current view. Now this user associated with this view can go to the global configuration mode and he can make changes to the interface like shut down the interface. No, shut down the interface, make it up.

At the same time he can change the IP addresses as well as he can change IPV six address and also he can save the configurations but he cannot go to the other interfaces. Like if you try to access any other interfaces, he cannot get access. Because the thing is, in this view I have associated with command here to be able to use only this zero by three interface. So the main advantage of the views is we can we can define a specific views with commands like all interfaces you want to allow, we can still use except option, so we can use an accept option saying that include all interface commands and I can also say something like accept s one by zero interface.

  1. Modify RBAC Views – LAB 3

Now there are some more couple of examples relating to views we can verify. So probably here I’ll just give you an overview of the command center and all those things. You can verify the workbook and you can go ahead and implement and verify. So the requirement here is I’m going to create a view with a name called RNS engineer with some password and then we are going to create a user account with a user too and we are associating this user account with this view and then this particular view should have all the commands specified here. Like he should be able to execute all the show commands because I don’t want to restrict any specific show commands, they can still use all the show commands at the same time, I don’t want individual show commands to be given.

So we can simply say include all show. So when I say exec include all show automatically he can execute all the show commands. But let’s say you want to restrict specific show commands, we can say exclude, show startup config, let’s say you want to restrict. We can also use an option of exclude just below to that, we can do that, but here I’m not doing that. I just want to allow all the show commands should be allowed. At the same time he can also use all the copy commands like all the different variations of copy, like copy run start. Maybe he want to save the configurations or copy start run, maybe he wants to get the configurations from the NVM or maybe he’s doing some kind of backup where he should be able to use copy from the startup config to some DFTP servers certain want to restrict.

So I want my router switching engineer to be able to execute all the copy commands. So I’m not going to specify individually, I simply say all copy at the same time. Access to all the router level commands means they can make changes to all the router modes, can configure OSCL, router EHRP, router, router rip, even router BGP, all the router level commands and whatever the sub commands inside that. So we can simply say all router level commands and all IP commands like IP route commands or whatever the command starts with IP in the global configuration mode, all those commands should be allowed.

At the same time, I want to allow all the interface specific commands which means this user can go to the interface and use all the interface specific commands like changing the IP address or using no showdown command or using Clock red command or whatever the commands comes in the interface like changing the encapsulation commands. So all this command should be allowed. So I want to allow all the interfaces but as this routing switching engineer, he can use all the interfaces except interface tunnel, let’s say. So there is a tunnel interface, let’s say tunnel zero.

This is used in the VPNs and I don’t want my this engineer to be able to execute or make any changes on this interface. So we can use a specifically called exclude and we can say exclude this interface while you are verifying, just make sure that this turn interface was created earlier before you verify. So you can simply go and configure these commands and verify. And while you’re verifying, make sure that you are associating the user with that view and then make sure that you have this authentication authorization enabled on the specific vivi lines. If I use default option, you don’t need to apply it on the VTi or the console lines because it applies by default. If you’re using any other name, then you need to apply. So there’s one example, you can try it out in the workbook.

So you can refer the workbook. You got all the steps actually configured here. You can verify the same with all the outputs here. So additionally, I got one more task with some slightly different, it’s almost the same thing with another view called Security engineer. And this engineer I want to use all the show and copy commands, same like the routing switching engineer and he can go to the global configuration mode, he can modify the ACLs and also he can use all the crypto commands. Crypto commands are used in VPNs. So I want this user to use all the crypto commands for VPN configurations.

And he can make changes to interfaces like f, zero by zero and tunnel interface. But it cannot make any changes on any other interfaces because I’m not specifying other interfaces. So if I say all interface, it allows all the interfaces, but here I’m specifically defining those interfaces. So interface specific commands. And then we need to associate the create a user and associate this view to that particular user and of course, make sure that this is already pre configured and create one user account with admin privilege level 15 so that whenever you try to log in to make any changes, you must have a privilege level 15 user. So there’s another example you can use. Probably you can refer the workbook again because overall all it’s the same thing again. Once I associate these commands, if I say show, parser, view, login and verify, you will be able to see all the commands. Whatever I discuss here, like access list, crypto maps, IP commands. So like IP access list commands, you can use interface and if you try to log into the interface as zero by zero, you cannot.

  1. RBAC – Super Views

Now, in this video I’ll show you the basic configuration for the super views. Normally in the previous sessions we discussed there are two types of views which are commonly used like the root view. If you want to make any changes or assigning specific commands or create any new view, we must log into the root view. And then the CLI views are nothing but the normal views which we are going to create. But the super views are like here, we are not going to define any specific commands. Commands are not configured in this view. But let’s say you have created a view with security engineer and routing fishing engineers and also maybe some VoIP engineers, some specific commands relating to VYP and you want a user ten and this user ten should be able to execute all the commands, whatever defined in these views. So I can associate this user with a super view.

So I need to create a view with a super view and then I’m not going to define any specific commands here, but I need to specify that view RNS engineer associate that and the view security engineer and the view view IP engineer. So automatically whatever the commands allowed in these individual views can be grouped and allowed inside the SuperView. Now, configuration wise, it’s not a big, not a lengthy configuration here. So the first we need to create a view with a parser view with a name called super, any admin, any, any name you can use and you had to specify a super view. So if I don’t specify the view, probably it’s going to be treated as a normal view.

So whenever you are trying to create any new view so normally we use a parcel view and then we use a name, but if I don’t specify it will become a normal CLI view. So we need to specify it’s a super view and then we are not going to define any specific commands here. So let me just get into the configuration to show you the same thing here. Okay, so I just logged into the privilege level and again, if you want to create a view, you must log into the root view here. So the root view password, I think it’s an away here. And if I say show parser view to verify in my current view, so I’m in the root view. So I’m going to say parser view.

We’ll give a name as super admin, any name you can use and then if I just press Enter it becomes a normal view. But I need to specify it’s a super view. So once I define it’s a super view. Now here you cannot specify any commands. We just need to specify the views so we can configure the password, like the password let’s say super one to three and then the views which are already present. So you need to check what are the actual views present because I think here I do have views created on my router, but maybe just a level one engineer is present. So let’s verify there’s only L one. Now, you can see there are three different views which are already present here. So my requirement is I want to associate all these three views here and already I have specified the commands here, so I don’t need to do it again. So maybe you just want to associate only two views. Then you just define these two views. If you want all the three views, command should be allowed to access. I think we need to specify view and that and finally we need to create a user account with the user ten.

And the view name should be the view which I created just now, the super admin. And then of course, the password is a user ten. Now, for testing, you can try logging to the router, let’s say from the router to with the user name user ten. And if I verify show parts of view to check the current view is super admin. Now, here I can execute all the commands, whatever I define in that. So I can go to the interface. I can make changes to all the interface specific commands.

If you get back to the previous, we created some views here so we can use all these commands. Let me try some crypto commands. You can see I’m able to use all the crypto commands access these commands, as well as I can go to the interface and I can go to Talent of this. Also, I think this interface is not created, so you can go and create a Talent interface as well. And also I can try out with the other commands what are defined in the RNS engineer. Like I can use all commands, I can go to the router mode and I can make changes in the routing configurations as well.

img