Welcome back to this series, where we are covering CCNA security topics using Cisco Packet Tracer for our labs. In the previous labs, we focused on the Cisco ASA and configured features like routing, ACL, NAT, and VPN.
In this lab, we will move on to the Cisco IOS and look at privilege levels on Cisco IOS devices and also configure role-based access control on these devices. There are several articles on the Intense School site that you may want to go through first, such as this and this.
For this article, we will be using a lab setup as shown below:
Two files are attached to this article:
priv_lvl_rbac_init.pkt: This Packet Tracer file contains the lab setup with the devices configured with basic IP settings in the 10.0.0.0/24 subnet. R1 is configured as .1, R2 as .2 and PC0 as .100. A line password of “cisco123” has been configured on R1 and SSH has been enabled on R2.
priv_lvl_rbac_final.pkt: This Packet Tracer file contains the lab fully configured to meet the tasks.
The tasks for this lab are follows:
When anyone telnets to R1, they should be placed at a privilege level of 2. An administrator should be able to access privilege level 15 with a password of “cisco123”. Do not configure usernames for this task.
Still on R1, connections with a privilege level of 2 should be able to perform any configuration on ANY interface.
On R2, create two CLI views – Helpdesk and NOC. The Helpdesk CLI view should have a password of “helpdesk” and should be able to ping and view interface status (i.e., show interfaces). The NOC CLI view should have a password of “NOC” and be able to do everything the Helpdesk CLI view can do including being able to perform any configuration on interfaces.
Create two users on R2 with the following username/password credentials: helpdesk/helpdesk and NOC/NOC. When the “helpdesk” user logs in, the user should use the “enable view Helpdesk” command to access the Helpdesk CLI view. In the same way, when the “NOC” user logs in, the user should use the “enable view NOC” command to access the NOC CLI view. Assume that users will login via Telnet/SSH.
Task 1: Line Privilege
Since this task specifies that usernames should not be configured, then the only other option we have is to configure the privilege level on the VTY lines. By default, when we login via Telnet to a VTY line on a Cisco IOS device, we are placed at privilege level 1 as shown below:
We can use the privilege level line configuration command to change the default privilege level for a VTY line. For this task, we will assign a privilege level of 2 to the VTY lines. The task also requires that an administrator be able to access privilege level 15. To do this, we can configure an enable password/secret. When you configure an enable password/secret without specifying any level, you are effectively configuring an enable password/secret for privilege level 15.
Therefore, our configuration on R1 is as follows:
line vty 0 4 privilege level 2 ! enable secret cisco123
To test this configuration, we will login via Telnet again and check the privilege level; we will then try to gain access to privilege level 15:
Task 2: Changing privilege level for commands
By default, you need to be in privilege level 15 to be able to configure a Cisco IOS device. Therefore, if we want users at privilege level 2 to be able configure interfaces, we need to move the relevant commands down to that level.
Before we make any configuration changes, look at the commands available to a user at privilege level 2:
Note: There may be more commands on a real Cisco IOS device than on Packet Tracer.
The configuration to allow privilege level 2 users configure interfaces is as follows:
privilege exec level 2 configure privilege exec level 2 configure terminal privilege configure all level 2 interface
Hint: The “all” option in the command privilege configure all level 2 interface allows the sub-options under interface to be placed at the same privilege level.
We can verify our configuration by logging into the router and viewing the commands available at each level:
Note: You may get some unexpected behavior with the privilege level command on Packet Tracer. For example, if you use the privilege configure all level 2 interface command without the “all” option, privilege level 2 users will not be able to configure any interface.
Task 3: Role-based CLI access
Changing command privilege levels like we did in the previous task can be quite cumbersome; a better way is to use CLI views. To create views, you need to be in the root view (which is different from privilege level 15). Before you can use CLI views, you must enable AAA and also configure an enable password/secret as follows:
aaa new-model enable secret cisco123
Now, to create CLI views, we must enter the root view using the enable view command from the privilege EXEC mode. We will need to enter the enable secret to gain access to the root view:
The configuration to create the CLI views is as follows:
parser view Helpdesk secret helpdesk commands exec include ping commands exec include show commands exec include show interfaces ! parser view NOC secret NOC commands exec include configure commands exec include configure terminal commands exec include ping commands exec include show commands exec include show interfaces commands configure include all interface
Task 4: CLI views and verifications
On a real Cisco IOS device, we will be able to tie usernames to specific CLI views but that’s not available in Packet Tracer. Therefore, a user needs to manually access a CLI view using the enable view command.
The configuration for this task is as follows:
username helpdesk secret helpdesk username NOC secret NOC
To test this configuration, we will first login using the helpdesk username:
Cool! Let’s now test the NOC user:
This brings us to the end of the lab, where we have looked at privilege levels and RBAC on Cisco routers. I hope you have found this lab insightful.
References and Further Reading
Privilege Levels: https://learningnetwork.cisco.com/docs/DOC-15878