Role-based Access Control
Only the administrator should have complete access to the network while the other employees like junior network engineer need not full access to the network device. A junior-level engineer generally requires only to crosscheck the configuration of the device, not to add or delete any configuration so why should give full access to that employee?
For these types of scenarios, the administrator defines access to the devices according to the roles of the user.
Role-based Access Control –
The concept of Role-based Access Control is to create a set of permissions and assign these permissions to a user or group. With the help of these permissions, only limited access to users can be provided therefore level of security is increased.
There are different ways to perform RBAC such as creating custom privilege levels or creating views.
Custom level privilege –
When we take a console of the router, we enter into the user-level mode. The user-level mode has privilege level 1. By typing enable, we enter into a privileged mode where the privilege level is 15. A user with privilege level 15 can access all the commands that are at level 15 or below.
By creating a custom privilege level (between 2 and 14) and assigning commands to it, the administrator can provide subset of commands to the user.
First we will add a command to our privilege level say 8 and assign a password to it.
R1(config)#privilege exec level 8 configure terminal R1(config)#enable secret level 8 0 saurabh
Here, we have assigned the password as saurabh. Also note that 0 here means the password followed is clear text (non-hashed) .
Now, we will create a local user name saurabh and associated this user with configured level. Enable aaa model and assign default list to various lines.
R1(config)#username saurabh privilege 8 secret cisco123
R1(config)#aaa new-model R1(config)#line vty 0 4 R1(config)#login local
Now, whenever username Saurabh will take remote access through vty lines, he will be assigned privilege level 8.
Role-Based CLI access enables the administrator to create different views of the device for different users. Each view defines the commands that a user can access. It is similar to privilege levels. Role-based CLI provides 2 types of views:
- Root view – Root view has the same access privilege level as user who has level 15.The administrator should be in root view as view can be added, edited or deleted in root view.
To enter into root view, we first have to enable aaa on the device and then have to set enable password or secret password which will be used when any user will enter the root view.
To enable aaa on the device and to apply secret password, command is:
R1(config)#aaa new-model R1(config)#enable secret geeksforgeeks
Now, we will enter the root view by command:
By typing this, we will enter into root level where we can add, delete or edit views.
- Super view – A super view consists of 2 or more CLI views. A network administrator can assign a user or group of users a superview which consists of multiple views. A super view can consists of more than one view therefore it has the access to all the commands which are being provided in other views.
As the super view consists of more than one view therefore first we will create 2 views named, Cisco and IBM. Now, in view Cisco, we will allow all show command in exec mode and int e0/0 command on global configuration mode.
R1(config)#parser view cisco R1(config-view)#secret geeksforgeeks1 R1(config-view)#commands exec include all show R1(config-view)#commands configure include int e0/0
Now, we will create IBM view in which we will allow ping and config terminal on exec mode and ip address on configuration mode.
R1(config)#parser View ibm R1(config-view)#secret geeksforgeeks1 R1(config-view)#commands exec include ping R1(config-view)#commands exec include config terminal R1(config-view)#commands configure include ip address
Now we will create a super view and name it as sup_user. We will enable a secret password superuser to the superview sup_user and add views Cisco and IBM to it therefore it has all the privilege to execute commands which are included in views Cisco and IBM only.
R1(config)#parser view sup_user superuser R1(config-view)#secret superuser R1(config-view)#view cisco R1(config-view)#view ibm
Note – It is necessary to apply a password to any view before configuring it. Also, here instead of a secret password, enable password can be used but it is less secure as it is not encrypted.
We can check the configuration by: