CCIE R&S Advanced Technologies Class v4.5 - AAA, Local Authentication, Local Authorization, Role Based CLI Access

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 42m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:12	In our next section for IOS security, we're going to look at
0:00:16	the local authentication and authorization process on the
0:00:20	routers and how it compares to AAA that can be used to
0:00:24	configure either local authentication, authorization and accounting mechanisms
0:00:29	or to remote TACACS and RADIUS servers.
0:00:35	Now when we configure AAA, the IOS command
0:00:38	to first enable it is the AAA new model
0:00:41	which is comparing the old model of authentication and
0:00:45	authorization which is local based on the global user name
0:00:49	database or the line configuration meaning the line con 0, the line aux 0
0:00:55	line vty 0 4
0:00:58	so the new model of authentication for AAA supports lists that can
0:01:03	define on a per line basis or a per technology basis
0:01:08	like PPP versus login or 802.1X specifically
0:01:13	where the authentication is going to go, where the
0:01:16	authorization is going to go and where the accounting is going to go.
0:01:21	Now when AAA is enabled, the router is automatically
0:01:24	going to have a default list that is going to apply
0:01:28	to both the authentication, authorization and accounting
0:01:32	unless we are manually overriding this.
0:01:35	Now the potential issue that you could run into when you're
0:01:38	configuring AAA is that if you do not specify any of the methods
0:01:42	correctly, you could potentially log yourself out of the exec process
0:01:47	so you wouldn't be able to authenticate
0:01:49	or when you authenticate, you would not be able to
0:01:52	to start the exec process which means that your
0:01:55	authorization would fail..
0:01:59	So within the scope of the lab exam, before you make any of these
0:02:01	changes, anything that is login related or privilege
0:02:05	command related, make sure that you save the device's config
0:02:08	so that at worst case scenario you could just reload and then go
0:02:12	back to your last known working configuration.
0:02:17	Now as I mentioned AAA supports both local authentication and
0:02:21	authorization and remote authentication and authorization
0:02:26	where within the scope of routing and switching there's not
0:02:28	going to be an actual server that we're going to be talking to.
0:02:31	So generally, this is going to be with either RADIUS or
0:02:34	TACACS where we specify either the IP RADIUS server
0:02:38	the IP TACACS server command also generally where we are
0:02:41	sourcing our TCP packets from or sourcing our
0:02:46	UDP packets from because this is going to have to be
0:02:51	specified in the AAA server itself what is the managed device
0:02:56	that is doing the authentication which is known as the AAA client.
0:03:00	Now generally we would also want to configure the local
0:03:04	mechanism as the fallback option
0:03:06	to make sure that if either the TACACS server or the RADIUS
0:03:09	server is not available, then we could still use the information
0:03:13	that's in the local database.
0:03:16	Now where this would become a problem let's look at one of our
0:03:20	devices in the topology and let's say on Router 1
0:03:24	if I were to configure AAA we'll say AAA new model
0:03:30	then I were to define the AAA authentication list
0:03:35	we'll say AAA authentication to login
0:03:39	I can either specify a named list that I can then apply to
0:03:44	the console versus the aux port versus the vtys
0:03:49	where the default is going to be the one that applies to all
0:03:51	of them automatically. Now if I say that this is
0:03:55	going to go to the server group that is TACACS
0:03:58	or the server group that is RADIUS
0:04:01	if I do not have the server defined or the server is unavailable
0:04:10	it says now the TACACS server is unknown and authentication has failed.
0:04:14	Basically what this means is I'm now locked out of Router 1's console.
0:04:20	So even though previously, I had access in order to telnet
0:04:24	into Router 1, so if I go to Router 3 for example who's
0:04:28	directly connected to Router 1
0:04:31	and I'm going to try to telnet to them to get into the
0:04:34	exec process. The default group here
0:04:38	is going to apply to all of the lines.
0:04:41	So when I telnet into Router 1 I'm basically going to get the same
0:04:44	error message that it was unable to contact the TACACS server
0:04:48	authentication is failing so now I'm locked out of the console.
0:04:54	Ideally what you would do instead is specify a last resort method
0:04:59	where when we say aaa new model
0:05:02	and aaa authentication
0:05:05	we want to login default we could go to TACACS
0:05:12	or the group, we'll say the group TACACS, but if the
0:05:15	TACACS server is unreachable, then I'm going to use either the
0:05:18	local database or I'll use the line password
0:05:22	or I'll use no authentication.
0:05:24	So I were to say local and I have username cisco password cisco
0:05:33	if I exit out of Router 2 that default group is now going to
0:05:37	apply to the console.
0:05:39	We can see it cannot process the authentication to server type
0:05:43	TACACS because we don't have it configured, but now I still have my
0:05:46	last resort method
0:05:48	which is the global username database, so I'm still able to
0:05:54	authenticate.
0:05:58	Now for the specific lists if I didn't want to do just a
0:06:01	default method, I could specify that I have the AAA authentication
0:06:08	for the login method.
0:06:10	I have a method called none
0:06:13	that does no authentication
0:06:16	then if I went to the console -- actually I can't use that because
0:06:19	that's the keyword, let's say NO_AUTH
0:06:26	then under the console, I can say the login authentication method
0:06:31	is NO_AUTH
0:06:34	so this now means when I connect to the console
0:06:37	it's not going to ask me for authentication
0:06:40	it's only going to ask me if I were to connect to any other
0:06:43	line like the VTY or the AUX port.
0:06:49	So this is a very important point to play around with this to
0:06:52	see how the different lists work because if you
0:06:54	end up locking yourself out of the console
0:06:56	or you lock the proctor out of the console
0:06:59	then there's no way that they can grade your work and you're automatically
0:07:01	going to fail the exam.
0:07:03	So again, just make sure that you save your config first
0:07:06	so then if there's a problem you can always just reload
0:07:09	and it's going to go back to whatever your previous working
0:07:12	configuration was.
0:07:14	You'll see that the vast majority of these AAA options
0:07:18	for AAA authentication or AAA authorization and accounting
0:07:24	most of these are not going to be within the scope of the
0:07:25	routing and switching exam
0:07:28	like the EAP over UDP this is going to be for things
0:07:34	like the wireless authentication or dot1X would be for the wired
0:07:39	authentication of EAP
0:07:46	AAA authentication we can specify things like a banner
0:07:51	or change the username and password prompt when we're using
0:07:54	the local username and all password database.
0:07:58	PPP authentication this would be like if we were doing
0:08:02	PPP over Ethernet or some sort of legacy dial-in application
0:08:07	with PPP where if we look at the other mechanisms
0:08:12	the AAA authorization this is going to control whether
0:08:16	you can start the exec process to begin with
0:08:20	or if you were doing per command authorization
0:08:23	what are the specific commands that that particular user can
0:08:26	run. Now the issue with AAA authorization
0:08:32	is that if we are doing authorization for commands
0:08:37	there's no way that you can do this locally.
0:08:40	You would have to ask TACACS because TACACS
0:08:44	has the specific structure that is for the IOS commands.
0:08:47	This is not supported with RADIUS.
0:08:50	For the local authorization of commands
0:08:53	there's a couple different ways that we can do it without having
0:08:56	to use TACACS. One of them is with the local
0:09:00	command authorization with the privilege levels
0:09:03	and the other one is with a feature that is known as
0:09:05	the role-based access control
0:09:07	or role-based CLI.
0:09:11	Now the privilege level commands technically you can use this in order
0:09:15	to do per command authorization, but generally it's really cumbersome
0:09:20	to do this and there's too many variables you need to take into
0:09:23	account in order to actually accomplish anything that's
0:09:26	useful where by default the IOS has three separate
0:09:30	privilege levels that are 0, 1 and 15
0:09:33	Zero means no access.
0:09:34	One means basic access like you can ping or you can telnet
0:09:39	you could show ip interface brief, show ip route
0:09:41	but you can't make any changes.
0:09:44	then privilege mode level 15 this is anything where you can
0:09:48	change anything, so that's typically where you see the
0:09:51	pound sign after the router's host name
0:09:55	that means that you are in privilege level 15
0:09:59	Now at any time on the router you could look at the show privilege
0:10:03	and it's going to show you what your current assignment is
0:10:06	so right now in enable mode, I am a privilege 15
0:10:10	If I were to disable and show privilege
0:10:15	right now I'm at level 1
0:10:17	If I were to disable to level 0
0:10:21	and I now try to show privilege
0:10:24	the show command is not allowed at that level
0:10:28	because essentially privilege level 0 is you can either try
0:10:31	to authorize further or you can just log out.
0:10:36	Now every time we say enable
0:10:38	and enter the password
0:10:40	what we're actually saying is enable 15
0:10:44	which means that you want to authorize to privilege level 15
0:10:48	You can technically define any other level that is from
0:10:52	2 to 14
0:10:55	for any manual command authorization set that you want to define.
0:11:00	But the problem that you run into is that a higher privilege level
0:11:04	will automatically inherit any commands that are
0:11:08	for privilege levels lower than it.
0:11:10	So this means that privilege level 1 gets all zero commands.
0:11:14	Privilege level 2 gets all zero and one, privilege level 15
0:11:18	gets all 0 through 14 plus 15
0:11:23	so with the hierarchy of the inheriting of the privilege levels
0:11:26	it gets fairly complicated to figure out how do I actually assign
0:11:31	an individual user what commands that they can run.
0:11:35	So again, you can technically do this. The way that you could
0:11:38	do it is either move the command's privilege down to a level that it was not
0:11:43	at before if you want to authorize a lower privilege
0:11:47	level user to run something or you can move the command's
0:11:52	privilege up in order to basically deauthorize them from doing it.
0:12:00	So let's say for example that we want privilege level zero
0:12:04	users to look at the running configuration on the interfaces
0:12:10	on Router 2 specifically here I want them to be able to say
0:12:13	show run interface Fast Ethernet 0/0
0:12:18	so in order to do this, I would need to figure out what are all
0:12:23	the individual parser steps that I would need to run
0:12:27	in order to make changes on the interface.
0:12:33	So what I mean by this is that the first step would be that
0:12:37	we authorize into the exec process
0:12:39	which is where we start with the router's host name
0:12:42	followed by either the greater than sign or the pound sign.
0:12:47	Once we're at the exec mode, next thing normally we would do
0:12:49	is to authorize into global configuration mode or configure mode.
0:12:55	So to do this, we say configure terminal, it's going to get us to the
0:12:58	config mode, then we would go to the interface we would say
0:13:01	interface Fast Ethernet 0/0 this is then a configure level
0:13:05	command that's being issued.
0:13:09	So the key point is that when you look at the router's prompt
0:13:12	it's going to show you what is the privilege mode that that
0:13:17	command exists in, in order to run.
0:13:21	So for example, a show command like show ip interface brief
0:13:25	this is an exec level command
0:13:28	because we are issuing it at the lowest hierarchy
0:13:32	which is exec mode.
0:13:35	If I were to go to config t and then say interface Fast Ethernet 0/0
0:13:39	the interface command itself is a configure command because
0:13:45	that's the parser mode that we're issuing it from.
0:13:48	At the Ethernet interface, if I were to say ip address
0:13:52	the IP command followed by the argument's address that the actual
0:13:56	address in the mask, these are interface level commands
0:14:00	because that's the particular parser mode that it's run in.
0:14:05	So what this essentially means is that if we were to use local
0:14:08	privilege levels to authorize commands, we would have to
0:14:12	know what are all the individual parser modes that the commands are
0:14:16	run in, so let's assume here that I want to be able to
0:14:21	show run and see all of this information on Router 2's interface
0:14:28	but I don't want the user to be able to make any changes.
0:14:31	So what I'm going to do is take all of these commands and move
0:14:34	them down to privilege level zero. Now to see whether
0:14:38	this is going to work or not instead of constantly exiting
0:14:42	out of Router 2, I'm just going to telnet into it from a different device
0:14:48	then I'm going to enable to level zero
0:14:54	so now on Router 2, we can basically see -- we can see that we can
0:14:57	basically run no commands. If I were to show ip interface brief
0:15:01	or show run interface Fast Ethernet 0/0
0:15:04	I'm not authorized to do that.
0:15:07	So I want to change this now that at privilege level zero
0:15:10	I can actually issue these commands.
0:15:13	First thing I would need to do is give Router 2 access to
0:15:17	run the show command.
0:15:19	Specifically this command is run at the exec mode.
0:15:24	So when I change the privilege for a command
0:15:29	the configuration mode or excuse me, the command's mode
0:15:32	the parser mode is going to be exec.
0:15:35	I want to move this to level zero and specifically this is the
0:15:40	show command followed by the arguments
0:15:45	run, the arguments interface and Fast Ethernet 0/0
0:15:52	Now if we look at what happens when we actually issue this command
0:15:58	you'll see that with the local command authorization, there are
0:16:01	arguments that you can pass to it and some arguments you cannot
0:16:05	where I can define the show command and the show running config
0:16:09	but I can't specifically authorize them to say show run interface
0:16:13	without just saying show run globally.
0:16:16	And I cannot authorize them to say show run interface Fast Ethernet 0/0
0:16:21	without authorizing them to say show run interface
0:16:23	serial 0/0
0:16:26	so with the local command authorization, there's a lot of restrictions to it.
0:16:29	There's a lot of short comings. If we were to do this with TACACS
0:16:32	you could basically do whatever you want because you're sending
0:16:36	each of these commands and the arguments
0:16:38	as separate strings, then the TACACS server says
0:16:42	yes you're allowed to say show
0:16:44	yes you're allowed to use the argument run
0:16:46	you're allowed to use the argument interface
0:16:47	and the argument Fast Ethernet 0/0
0:16:50	but the actual implementation of that gets a little bit more complicated.
0:16:54	So now on Router 3, if we look at the telnet session that we have to
0:16:58	Router 2, what we should see now is that the show command
0:17:02	is listed there.
0:17:03	If we look at the arguments under show, I'm allowed to say show
0:17:08	running config
0:17:10	I'm also allowed to say show running config interface
0:17:14	but when we actually look at this, there's nothing actually
0:17:18	there in the config.
0:17:21	The reason why is that with local command authorization
0:17:26	you're only allowed to see what you can actually
0:17:30	configure, so it's kind of an odd end result that's different
0:17:35	from the role-based CLI and different from the TACACS authorization
0:17:41	that the router's going to strip the running config
0:17:43	for options that you cannot change.
0:17:47	So this means that on Router 2, I did not give this
0:17:52	user access to run the ip address command
0:17:55	or the other commands like the ip rip authentication
0:18:00	or the ip rip authentication key chain, the duplex and the speed
0:18:04	so it means that they're not able to see these.
0:18:08	If I wanted Router 2 to be able to see all of these commands
0:18:12	the user at privilege zero, I would need to authorize
0:18:16	each of these individual sub options at the interface level.
0:18:21	So I could say privilege at the interface level 0
0:18:26	I want them to be able to see the IP address
0:18:35	And let's say show run interface Fast Ethernet 0/0, I want them to
0:18:38	be able to say ip rip authentication mode md5
0:18:44	I want them to be able to see the duplex
0:18:48	and the speed.
0:18:50	Now since I gave them the ip rip authentication mode md5
0:18:54	it implies that I'm giving them ip rip authentication mode
0:18:57	which is a sub argument then of ip rip authentication
0:19:01	which is an argument of ip rip which is an argument of ip
0:19:06	so when you look at the hierarchy of the parser, you can see this from
0:19:09	the result of the privilege command
0:19:14	where if I'm authorized to do ip rip authentication mode
0:19:18	it means that I have to be authorized to do the top one
0:19:22	this one
0:19:23	this one and this one.
0:19:28	Now I didn't necessarily give them key chain. We'll have to see if
0:19:32	Router 3 has the result of that, so actually it didn't. I didn't
0:19:37	give them the key chain authorization, so they weren't able to see that particular
0:19:42	option. I would have to then add this manually in here
0:19:46	privilege interface level 0
0:19:49	ip rip authentication key chain rip
0:19:56	and now they'll be able to see that.
0:19:59	But you could see just the amount of variables that you have to take into
0:20:04	account, it kind of limits what the real effectiveness is of this
0:20:08	local privilege authorization.
0:20:12	Usually where this really comes in is that if you want the users
0:20:16	at level zero or one to be removed of some privilege
0:20:20	that they could do before like let's say the privilege level one
0:20:24	users we don't want them to be able to ping or we don't
0:20:27	want them to be able to telnet. What we could do
0:20:30	then is take that command and move it up in privilege
0:20:34	instead of moving it down in privilege.
0:20:38	So on Router 2, if I were to enable to level one or
0:20:41	let's say enable to 15 which is password cisco
0:20:44	then I were to enable back to level one where if I show privilege
0:20:49	I'm at one which means that I can run the basic ping command
0:20:56	but I can't run the extended ping command. I could run just basic ping.
0:21:01	I should also be able to do a basic telnet.
0:21:06	But maybe I don't want those users to be able to do that.
0:21:08	When they're at level one, I don't want them to ping or telnet.
0:21:11	Ok, maybe I don't want them to trace route either.
0:21:15	So what I'm going to do instead for those three commands
0:21:18	instead of lowering their privilege level, I'm going to
0:21:21	raise it above level one.
0:21:25	I'll say privilege exec
0:21:28	because those are at the exec mode of the parser.
0:21:32	I'm moving these up to level two
0:21:34	the ping command, the telnet command
0:21:38	and the trace route command.
0:21:42	Now for that user that's at privilege one, they're not able to
0:21:46	telnet, they're not able to ping and they're not able to trace.
0:21:52	Now depending on whether the default transport input is going to
0:21:55	allow them to telnet, you could see -- you can kind of get around
0:21:59	this because I didn't need to issue the actual telnet command.
0:22:03	I just typed the address.
0:22:05	So probably what I would want to do here on Router 2's lines
0:22:10	if I don't want the privilege level one users to telnet
0:22:14	I need to disable this behavior here
0:22:19	which is going to be controlled by what?
0:22:21	So I want to set it when they type an address on its own
0:22:23	it's not going to telnet to it.
0:22:25	They would have to specifically say telnet and then the particular
0:22:28	destination they want to reach.
0:22:32	What this is controlled by is under the line
0:22:37	it's the transport preferred
0:22:43	which by default the transport preferred is telnet
0:22:46	so I'll say transport preferred none which means now
0:22:51	that if we issue just the address on its own
0:22:54	it's not going to do a telnet to that.
0:22:58	So this user is still at privilege one
0:23:01	they're allowed to run show commands like show ip interface brief
0:23:03	but now I've deauthorized them to say ping, trace or telnet.
0:23:22	So again, this does work here, but most of the time
0:23:25	it's not feasible because the amount of possible
0:23:28	arguments that you need to give the configuration
0:23:31	is really going to be limiting.
0:23:33	If you wanted to do this type of operation, but you
0:23:36	couldn't do it to a remote TACACS server
0:23:39	then the alternate option is the role-based CLI
0:23:43	which is again called the either the role-based access control
0:23:46	RBAC or the role-based CLI
0:23:51	so this is now a new replacement for the privilege commands
0:23:54	which is also known as the parser view.
0:23:58	So what we're now going to do is define different views
0:24:01	of the parser which basically means different commands that they're
0:24:04	authorized to run and we could either assign these
0:24:08	specifically to users or we can manually switch between the
0:24:12	views by saying the enable view command.
0:24:18	So now let's take a look at this on the command line
0:24:20	where we're going to use the role-based access control or the
0:24:23	role-based CLI to do similar operations to what we did
0:24:26	with the local privilege command, but we'll see the role-based CLI is
0:24:30	much more flexible as to the assignments that we can
0:24:34	give individual users for the verification commands and for
0:24:38	the configuration commands.
0:24:41	So the first thing that we would do for this feature
0:24:44	is to enable AAA globally
0:24:48	so on Router 4, we'll go to global config, we'll say aaa new model
0:24:54	which is going to turn the AAA process on
0:24:57	then from exec mode, not from configure mode, we're going to say
0:25:01	enable view
0:25:04	so instead of saying enable which is going to put us in privilege level 15
0:25:07	enable view if we now use our same privilege 15 level password
0:25:12	so either our enable password or enable secret, this is going to
0:25:16	set us into the root parser view.
0:25:19	So the root view is similar to privilege level 15
0:25:23	the difference is that we can configure and change other
0:25:26	parser views where you're not able to do that if you are in
0:25:30	normal privilege level 15
0:25:35	So this is effectively the administration role for the different role-based CLI
0:25:39	configs we're going to do, so now from global config
0:25:42	we're going to define a parser view
0:25:45	we give it a locally significant name, this is going to be case-sensitive
0:25:50	so I'll say this one is going to be for doing different show commands.
0:25:56	Now each of the individual views will have different
0:25:58	passwords associated with them. We could use the same
0:26:01	password for multiple views, but regardless we do need to
0:26:04	define it with the secret command.
0:26:07	So I'll say the secret is cisco
0:26:10	The particular command I want this view to be able to run
0:26:14	is similar to the privilege command we would need to know what is the
0:26:17	exec mode that it is run in, so if I wanted to give them
0:26:21	access to all show commands, those are going to be run
0:26:24	from exec mode.
0:26:26	So I would say in exec mode
0:26:29	we can either say are they allowed to do this which
0:26:31	would be include the command, are they not
0:26:35	allowed to do it which would be exclude or include exclusive
0:26:39	which means that this view and only this view can run
0:26:44	that particular command.
0:26:48	So we'll say commands exec
0:26:50	we want to include
0:26:54	all show commands.
0:26:56	So this means that for any argument of the show command
0:26:59	whether it's show ip route, show ip interface brief,
0:27:01	show access list, this particular view should be allowed to do that.
0:27:06	Now, the way that we test this let's go to one of the other
0:27:09	routers, let's say Router 1 and we'll telnet to Router 4
0:27:14	we can see now since the AAA process has been enabled
0:27:18	the Router is doing authentication on all of the lines.
0:27:23	Now you'll see some differences between the different versions
0:27:27	how the AAA process works, but generally whenever you turn
0:27:30	it on, you want to make sure that you have a specific method
0:27:34	defined for all of the lines.
0:27:37	And the reason you need to do this is to make sure that you
0:27:40	don't lock yourself out of the console or you don't lock yourself out of either
0:27:44	telnet or SSH access remotely.
0:27:47	So even though I didn't configure any users on Router 4 yet,
0:27:51	we can see it's still looking for the user name and password prompt.
0:27:55	On Router 4, we'll configure the user cisco with password
0:28:00	cisco. Username cisco password cisco.
0:28:06	So now Router 1 should be able to login with this cisco
0:28:09	cisco, this should drop them off of the normal privilege level one.
0:28:14	Now if we say enable, that's going to put us into privilege level 15
0:28:18	which is our normal administration for the command line.
0:28:22	But if we look for the parser view command,
0:28:30	and let's say view 1
0:28:32	we can see that it did not allow us to change any of the other
0:28:37	parser view configurations, so we would have to be in the
0:28:40	root view, not in privilege level 15
0:28:43	To manually switch between them, instead of saying just
0:28:47	enable view which is going to go into the root view
0:28:50	we would say enable view and then the specific name
0:28:53	which in this case is show.
0:28:57	The password I defined for that individual view was
0:28:59	cisco. If we now look at the show parser view
0:29:04	it says I'm in the show view.
0:29:06	If we look at the context sensitive help, we can see now
0:29:09	essentially this user can only issue show commands
0:29:13	try to further authorize
0:29:16	or exit out of the command line.
0:29:19	So since I've given them all arguments of the show command, I could
0:29:22	say show ip route
0:29:25	show ip interface brief
0:29:29	show memory there's not going to be any restrictions to this.
0:29:34	Now similar to the privilege commands though
0:29:36	if we were to look at the show run
0:29:39	this user is only going to see in the running config
0:29:44	the specific options that they have the ability to change.
0:29:49	So unless I give them access to change the router sub configuration
0:29:52	mode or the interface configuration mode, they're not going to be able to
0:29:56	say show run
0:29:58	or technically they can say show run, just they're not going to be able to see
0:30:00	any of the output.
0:30:03	So most of the time doing these views is mainly for different
0:30:07	verifications where you want someone to be able to login
0:30:10	and check the status of the router, but not have a
0:30:13	basically a read/write view for the device.
0:30:19	Now another thing we could do for this besides just including
0:30:23	a specific command or excluding a command
0:30:25	would be to define a view that is the only one that can
0:30:29	issue that particular command, so if we said parser view show ip route
0:30:38	that has the secret of cisco
0:30:43	and has the command that is included -- or actually this would be
0:30:47	an exec command -- that is included exclusively
0:30:52	and is show ip route.
0:30:55	So now from Router 1 who is in the parser view show
0:31:03	they're no longer able to say show ip route
0:31:05	because that now has been moved to that specific view
0:31:10	that is the show ip route view.
0:31:16	Now for the other command mode like in global config or
0:31:19	in router config, route map mode
0:31:22	it's going to be similar to the privilege commands that we looked at before.
0:31:26	So I wanted a view that was to allow the users to change anything
0:31:31	in the router configuration mode.
0:31:34	Let's say parser view is router.
0:31:38	We didn't give it a password, so we'll say secret is cisco.
0:31:42	I want the commands to be in exec mode. First I need to make sure that they
0:31:48	can say config t, so if they can't get to global config, then they're
0:31:53	not going to be able to change anything about the routing process.
0:31:56	Now once they're in configuration mode, so in configure mode
0:32:02	I want to include all router commands.
0:32:06	So this should be anything under the OSPF process
0:32:10	anything under the BGP process
0:32:11	whoever is assigned to this particular view should be allowed to do that.
0:32:18	So on Router 1, let's say enable view router
0:32:27	If we show parser view
0:32:31	we can see that we did change from the show to the router view.
0:32:36	If we show privilege
0:32:38	we're not able to issue that because I didn't authorize them
0:32:41	to run any show commands, so if we look at the question mark
0:32:44	we can see that for show, they're basically not allowed to
0:32:50	do anything other than to check their particular view
0:32:53	or go to global config
0:32:56	so they could say configure terminal, but not configure memory.
0:33:00	Then once they're in global config, they can go to the
0:33:02	router sub configuration mode
0:33:05	let's say router ospf 1
0:33:08	then under here any of the sub configuration commands
0:33:12	should be available.
0:33:14	So just based on this fact, you can see it's a little bit easier to
0:33:18	use than the privilege level commands
0:33:22	because with the privilege command, you essentially
0:33:24	need to account for every command and then the individual
0:33:29	arguments like the exec command configure, then the
0:33:33	argument terminal would be two separate options under
0:33:36	the privilege configuration where here with the parser
0:33:40	view, if we're telling that we want them to be able to run
0:33:43	config t, the router understands that they have to be able to issue the
0:33:46	configure command first.
0:33:51	Now the other option that this has is to define what is known as a
0:33:54	super view. A super view is basically the combination of
0:33:59	multiple parser views that is going to allow them to do
0:34:02	the commands that one view is enabled to do and then
0:34:05	an additional view.
0:34:07	So for example we could combine the show view
0:34:12	let's say -- let's show run here on Router 4
0:34:17	We could combine this parser view of show and this parser view
0:34:20	of router, so when the user is authorized to that particular
0:34:25	view, they could run all of the show commands
0:34:27	except show ip route
0:34:30	because here we're including exclusively show ip route to that
0:34:34	show ip route view
0:34:36	and we're also going to authorize them to run any of the router commands
0:34:40	along with config t
0:34:45	so to do this, we'll define another parser view
0:34:49	we'll say show and router is its name
0:34:54	and this is going to be defined as a super view.
0:34:57	So a super view just means that it's inheriting multiple views
0:35:00	at the same time, so just like the other ones, it does need a
0:35:04	password, I'll say the secret is cisco
0:35:08	then what other particular views that it is going to include.
0:35:12	In this case, I want it to include show and I want it to include
0:35:16	router.
0:35:21	So now if Router 1 were to change to that
0:35:25	we'll say enable view show and router.
0:35:34	We can run any of the show commands.
0:35:38	Say show ip interface brief
0:35:40	Again, I should not be able to say show ip route
0:35:44	because that was included exclusively to the other show
0:35:48	ip route view
0:35:50	then I could go to global config
0:35:53	I can't go to the interface level, so I can't say
0:35:57	interface Fast Ethernet 0/0
0:35:59	but I could go under router bgp 1
0:36:02	or 100 in this case
0:36:05	and then run any of the particular commands under that sub mode.
0:36:11	Now previously with the privilege commands, the way that we had to
0:36:15	assign specific users to an individual authorization
0:36:19	was to define what their privilege level was.
0:36:22	So if I defined a user at privilege level five
0:36:25	it means that they can run any commands that are
0:36:27	0, 1, 2, 3, 4 or 5
0:36:30	so it's very limited as to the different users and what particular
0:36:34	authorizations you can give them because it automatically has a hierarchy
0:36:39	where if I'm at ten, I'm also going to include anything that's at
0:36:43	five or anything nine or below.
0:36:48	With the role-based CLI it's a little bit more flexible
0:36:51	because we can define on a per user basis what is the
0:36:54	individual view that they are assigned to when the user logs in.
0:37:00	So to do this, it's similar to what we did before
0:37:03	with the privilege level commands. We're going to specify a particular user
0:37:07	name. We'll say username show with the password
0:37:13	password cisco and username show is going to
0:37:16	be assigned to the view show
0:37:22	and since we're already checking the local database by
0:37:25	default based on AAA
0:37:35	when Router 1 telnets to Router 4
0:37:38	logs in as show with the password of cisco
0:37:42	if we look at the show parser view
0:37:46	and the show privilege
0:37:50	it says that right now they have been assigned a privilege
0:37:52	level one.
0:37:54	So this essentially means that even though we have the view
0:37:57	assigned to the user, the AAA process has not
0:38:02	been configured to actually look for this command
0:38:05	in the local database.
0:38:08	And the reason why is that we now have to enable the
0:38:11	exec authorization process.
0:38:15	Now when AAA is off, so if we do not say AAA new model
0:38:19	the router by default is going to use the local database
0:38:22	for authentication and for authorization
0:38:26	where authentication is going to be either user name and password
0:38:29	authorization is going to be either privilege level and then
0:38:33	things like maybe the auto command if we're doing something
0:38:35	like the lock and key access lists.
0:38:41	But in this particular case, since now AAA is enabled
0:38:44	I need to tell the router with the AAA authorization
0:38:48	authorization exec command
0:38:51	that either I want to go to a specific list
0:38:56	whether this is going to reference a RADIUS server
0:38:58	or a TACACS server or I could say for all
0:39:03	methods and I'm going to check now the local database.
0:39:11	So on Router 1, if we exit out of Router 4 and telnet
0:39:15	back to them
0:39:16	in with user name show and password cisco
0:39:21	If we look at the show privilege
0:39:24	it's says now we're in the parser view that is show.
0:39:29	So we no longer have a privilege number assigned to us
0:39:31	we're specifically in this view
0:39:33	so we could say show ip interface brief
0:39:38	we could say show version
0:39:42	but again, we cannot say show ip route
0:39:44	because that was included exclusively with one of the different views.
0:39:51	Now I'm not a 100 percent sure if the documentation
0:39:54	talks about this command the AAA authorization
0:39:58	exec default because this isn't really related directly to the
0:40:03	role-based CLI. It's more related just to the general
0:40:06	authorization process of how AAA works.
0:40:10	But if you did not say AAA authorization exec
0:40:13	and then either use the default method or give it a specific
0:40:19	group name, then point this to the local database
0:40:23	then you would not be able to associate the view with the
0:40:25	particular user.
0:40:29	Now the other thing that you would do for this in production
0:40:32	if you actually had a RADIUS or TACACS server that you were
0:40:35	authenticating to, if we go to the configuration guide
0:40:39	this is going to be documented under security, then securing
0:40:43	user services
0:40:46	then under role-based CLI access
0:40:52	the view authentication via a new AAA attribute.
0:40:58	So now the IOS supports what's known as the
0:41:01	cli-view-name
0:41:05	so if you were actually doing this with a RADIUS or TACACS
0:41:08	server, you could define for the exec authorization
0:41:12	a either a custom attribute with RADIUS or TACACS
0:41:16	probably would support this natively, the cli-view-name
0:41:19	then we would specify what the individual parser view was.
0:41:25	So let me see here if it has the AAA authorization.
0:41:29	Now it doesn't say anything about the authorization so
0:41:32	they're kind of assuming that if you're using this feature
0:41:35	you already know how AAA works
0:41:40	but again, as I mentioned before a lot of the real details
0:41:43	behind this type of stuff is not going to be that large of a
0:41:47	focus of the routing and switching exam.
0:41:49	It's more going to be reserved for security
0:41:52	so as long as you know what this feature is
0:41:54	you try it out once or twice, you know where it's located here
0:41:57	in the documentation, it's pretty self-explanatory if you
0:42:01	go down to their configuration examples
0:42:04	you should be able to take these and then change them around
0:42:07	to the specific commands that you need.
0:42:12	But again, the big key with this is to figure out what
0:42:15	are the particular modes that I need to run those individual
0:42:19	commands in.
0:42:21	So things like the show commands those would be exec
0:42:24	the interface command, the router command those
0:42:26	are going to be run in global configuration
0:42:29	then the individual things like IP address would be an interface
0:42:33	level command, network statement would be a router level command
0:42:37	so again, the easiest way to figure this out is that when you
0:42:41	go to the router's command line, type in the commands that
0:42:44	you would normally do in order to make a change
0:42:47	so let's say I wanted to configure an access list
0:42:50	first thing from exec mode, I would say configure terminal
0:42:55	then I would specify the access list command.
0:42:59	So this means I would need to authorize them to say
0:43:01	configure terminal from exec
0:43:04	and authorize them for the access list command
0:43:07	at configure mode.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 42m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

AAA, Local Authentication, Local Authorizatio...

Create Bookmark