Parser Views - Roles Based Access Control (RBAC)
Cisco IOS CLI Parser Views provide much more granular Access Control features than Privilege Levels. Network administrators can now implement Role-Based CLI Access (simply called as RBAC, Role-Based Access Control). By Implementing RBAC, using Parser Views, administrators can limit what commands a user can see or run on the Cisco Routers and Switches.
Network Administrators can create CLI Parser Views add the Role Based commands to the CLI Parser View. A CLI Parser View can be tied to a user and when the user logs in using this view, he will get only the commands which are configured for his view.
Following are the pre-requisites for creating Parser Views
• Device IOS must support Parser views.
• Enable secret password must be configured on the device.
• AAA must be enabled on the router using Cisco IOS "aaa new-model" command
Step 01 - Enable AAA globally on Cisco Router/Switch using "aaa new-model" and configure password for privilege EXEC mode from the Global Configuration Mode.
OmniSecuR1#configure terminal OmniSecuR1(config)#aaa new-model OmniSecuR1(config)#enable secret OmniSecu123 OmniSecuR1(config)#aaa authentication login default local
OmniSecuR1(config)#aaa authorization exec default local
OmniSecuR1(config)#exit OmniSecuR1#
Step 02 - After enabling AAA and configuring the Privilege Level 15 password, you must move to Root View by using the IOS CLI command "enable view", to configure other Parser Views. Root View is a CLI Parser View which has all access privileges similar to Privilege Level 15. Root View is used to create or modify other views. You have to provide the enable secret password (which we configured in above step) to move to Root View.
User Access Verification Username: admin Password: OmniSecuR1>enable view Password: OmniSecuR1# OmniSecuR1#configure terminal OmniSecuR1(config)#parser view OmniSecuPV OmniSecuR1(config-view)#secret PassOmniSecuPV OmniSecuR1(config-view)#commands exec include configure terminal OmniSecuR1(config-view)#commands exec include ping OmniSecuR1(config-view)#commands exec include traceroute OmniSecuR1(config-view)#commands exec include exit OmniSecuR1(config-view)#commands configure include interface gigabitethernet 0/0 OmniSecuR1(config-view)#commands configure include exit OmniSecuR1(config-view)#commands interface include ip address OmniSecuR1(config-view)#commands interface include ipv6 address OmniSecuR1(config-view)#commands interface include no ip address OmniSecuR1(config-view)#commands interface include no ipv6 address OmniSecuR1(config-view)#commands interface include shutdown OmniSecuR1(config-view)#commands interface include no shutdown OmniSecuR1(config-view)#commands interface include exit OmniSecuR1(config-view)#exit OmniSecuR1(config)#exit OmniSecuR1#
Step 03 - After Creating the Parser View, we can attach the Parser View to a user, so that when the user logs in, he can see only the configured Cisco IOS CLI Commands.
OmniSecuR1(config)#username jajish privilege 15 view OmniSecuPV secret OmniSecuPass
Step 04: Telnet to the router "OmniSecuR1" and login as user "jajish". Run "show parser view" to what is the current Parser View. You can see that, by default, the Parser View which we created is in effect.
