Role-based Access Control

Only the administrator should have complete access to the network while the other employees like junior network engineer need not full access to the network device. A junior level engineer generally requires only to crosscheck the configuration of the device, not to add or delete any configuration so why should give full access to that employee?
For these type of scenarios, the administrator defines access to the devices according to the roles of the user.

Role-based Access Control –
The concept of Role-based Access Control is to create a set of permissions and assign these permissions to user or group. By the help of these permissions, only limited access to users can be provided therefore level of security is increased.
There are different ways to perform RBAC such as creating custom privilege levels or creating views.

Custom level privilege –
When we take a console of the router, we enter into the user level mode. The user level mode has privilege level 1. By typing enable, we enter into privileged mode where the privilege level is 15. A user with privilege level 15 can access all the commands that are at level 15 or below.
By creating custom privilege level (between 2 and 14) and assigning commands to it, the administrator can provide subset of commands to the user.

Configuration –
First we will add a command to our privilege level say 8 and assign a password to it.

R1(config)#privilege exec level 8 configure terminal
R1(config)#enable secret level 8 0 saurabh

Here, we have assign password as saurabh. Also note that 0 here means the password followed is clear text (non-hashed) .
Now, we will create a local user name saurabh and associated this user with configured level. Enable aaa model and assign default list to vary lines.

R1(config)#username saurabh privilege 8 secret cisco123
R1(config)#aaa new-model
R1(config)#line vty 0 4
R1(config)#login local

Now, whenever username saurabh will take remote access through vty lines, he will be assigned privilege level 8.

Creating views:
Role Based CLI access enable administrator to create different views of the device for different users. Each view defines the commands that a user can access. It is similar to privilege levels. Role based CLI provides 2 types of views:

  1. Root view – Root view has the same access privilege level as user who has level 15.The administrator should be in root view as view can be added, edited or deleted in root view.

    Configuration –
    To enter into root view, we first have to enable aaa on the device and then have to set enable password or secret password which will be used when any user will enter the root view.

    To enable aaa on the device and to apply secret password, command is:

    R1(config)#aaa new-model
    R1(config)#enable secret geeksforgeeks

    Now, we will enter the root view by command:

    R1#enable view

    By typing this, we will enter into root level where we can add, delete or edit views.

  2. Super view – A super view consists of 2 or more CLI views. A network administrator can assign a user or group of users a superview which consists of multiple views. A super view can consists of more than one view therefore it has the access to all that commands which are being provided in other views.

    Configuration –
    As the super view consists of more than one view therefore first we will create 2 views named, Cisco and IBM. Now, in view Cisco, we will allow all show command in exec mode and int e0/0 command on global configuration mode.

    R1(config)#parser view cisco
    R1(config-view)#secret geeksforgeeks1
    R1(config-view)#commands exec include all show
    R1(config-view)#commands configure include int e0/0

    Now, we will create IBM view in which we will allow ping and config terminal on exec mode and ip address on configuration mode.

    R1(config)#parser View ibm
    R1(config-view)#secret geeksforgeeks1
    R1(config-view)#commands exec include ping
    R1(config-view)#commands exec include config terminal
    R1(config-view)#commands configure include ip address 

    Now we will create a super view and name it as sup_user. We will enable a secret password superuser to the superview sup_user and add views Cisco and IBM to it therfore it have all the privilege to execute commands which are included in views Cisco and IBM only.

    R1(config)#parser view sup_user superuser
    R1(config-view)#secret superuser
    R1(config-view)#view cisco
    R1(config-view)#view ibm

Note – It is necessary to apply a password to any view before configuring it. Also, here instead of secret password, enable password can be used but it is less secure as it is not encrypted.
We can check the configuration by:

R1#show running-configuration


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.