Creating Command-Line Interface Views

Similar to making different commands available to different administrators using privilege levels, role-based command-line interface (CLI) views can be used to provide different sets of configuration information to different administrators. However, unlike making commands available via privilege levels, using role-based CLI views you can control exactly what commands an administrator has access to. Following are the steps required to configure these views:

Step 1 Enable AAA: Authentication, authorization, and accounting Example shows how to enable AAA on an IOS router.

[*] Enabling AAA

R1# conf term
R1(config)# aaa new-model
R1(config)# end

Step 2 Enable the root view: The root view is represented by the set of commands available to an administrator logged in with a privilege level of 15. You might be required to provide the enable secret password to enable the root view, as shown in Example.

[*] Example Enabling the Root View

R1# enable view
Password:
R1#

Step 3 Create a view: Use the parser view name command to create a new view, as shown in Example.

[*] Example Creating a View

R1# config term
R1(config)# parser view HELPDESK
R1(config-view)#


Step 4 Set a password for the view: Use the secret 0 password command to set the password required to invoke the view. The 0 in the command indicates that the password provided is in plain text, as opposed to an MD5 hash value. Example shows how to configure a view’s password.

Example Setting a Password for a View

R1(config-view)# secret 0 H3lpD3skP@55
R1(config-view)#

Step 5 Add available commands to the view: The commands parser mode {include | include-exclusive | exclude} [all] [interface interface_identifier | command] command, issued in view configuration mode, allows an administrator to specify a command (or interface) available to a particular view. Example shows how to specify that the copy command (followed by any keywords), the traceroute command, and the ping command will be available to a specific view (HELPDESK in this example).

[*] Example Specifying Commands Available to a View

R1(config-view)# commands exec include all copy
R1(config-view)# commands exec include traceroute
R1(config-view)# commands exec include ping


Step 6 Verify the role-based CLI view configuration: After creating a view, you can switch to that view with the enable view name command. After switching to the new view, you enter a ?, for context-sensitive help, to see what commands are available in your new view, as demonstrated in Example.

Example Confirming Role-Based CLI Configuration

R1# enable view HELPDESK
Password:

R1# ?

Exec commands:

<1-99>    Session number to resume

copy    Copy from one file to another

enable    Turn on privileged commands

exit    Exit from the EXEC

ping    Send echo messages

show    Show running system information

traceroute    Trace route to destination

See Also:



biOos