RBAC(ROLE BASED ACCESS CONTROL) AND PRIVILEGE

 




Role-Based Access Control (RBAC) is a technic  authorizing devices 

 access for users based on user roles and locales. A role defines the privileges of a

 user in device  and the locale defines some task and command that a user is

 allowed access. Because users are not directly assigned privileges, management

 of individual user privileges is simply a matter of assigning the appropriate roles

 and locales.


RBAC_LAB:







ROOT CONFIG:

RBAC(config)#aaa new-model
RBAC(config)#enable secret cisco

RBAC>en vi

RBAC>en view root

Password:

RBAC#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.


VIEW1 CONFIG:

RBAC(config)#parser view view1

RBAC(config-view)#se

RBAC(config-view)#secret admin

% Overwriting existing secret for the current view

RBAC(config-view)#c

RBAC(config-view)#commands ex

RBAC(config-view)#commands exec in

RBAC(config-view)# commands exec include show ip interface brief


VIEW2 CONFIG:

RBAC(config)#parser view view2

RBAC(config-view)#se

RBAC(config-view)#secret admin

% Overwriting existing secret for the current view

RBAC(config-view)#c

RBAC(config-view)#commands ex

RBAC(config-view)#commands exec in

RBAC(config-view)# commands exec include show version


VIEW3 CONFIG:

RBAC(config)#parser view view3

RBAC(config-view)#se

RBAC(config-view)#secret admin

% Overwriting existing secret for the current view

RBAC(config-view)#c

RBAC(config-view)#commands ex

RBAC(config-view)#commands exec include configure terminal

RBAC(config-view)#commands exec include commands exec include show clock  

! allow config in exec mode

RBAC(config-view)#commands configure include router rip  

 ! allow configure rip protocol in conf mode

SUPERVIEW CONFIG:

RBAC(config)#parser view superview

RBAC(config-view)#secret admin

RBAC(config-view)#view view1

RBAC(config-view)#view view2

RBAC(config-view)#view view3

VIEW VERIFY:

RBAC>en view view1

Password:

RBAC#%PARSER-6-VIEW_SWITCH: successfully set to view 'view1'.

RBAC#sh parser view

RBAC#sh ip ?

interface IP interface 


RBAC>en view view2

Password:

RBAC#%PARSER-6-VIEW_SWITCH: successfully set to view 'view2'.

RBAC#sh parser view


RBAC#sh ?

version System hardware and software status


 

RBAC>en view view3

Password:

RBAC#%PARSER-6-VIEW_SWITCH: successfully set to view 'view3'.


RBAC#sh parser view

RBAC#sh ?

clock Display the system clock


RBAC>en vie

RBAC>en view root

Password:

RBAC#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.



RBAC#wr

Building configuration...

[OK]

RBAC#


ROUTER_CONFIG

hostname RBAC


enable secret 5 $1$mERr$vTbHul1N28cEp8lkLqr0f/


aaa new-model


ip cef

no ipv6 cef


ip ssh version 2

ip domain-name otmane.com


spanning-tree mode pvst


interface GigabitEthernet0/0/0

ip address 192.168.0.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9


line con 0

!

line aux 0

!

line vty 0 4

transport input ssh

!

!

parser view super

secret 5 $1$mERr$vTbHul1N28cEp8lkLqr0f/

!

parser view view1

secret 5 $1$mERr$vTbHul1N28cEp8lkLqr0f/

commands exec include show

commands exec include show ip

commands exec include show ip interface

commands exec include show ip interface brief

!

parser view view2

secret 5 $1$mERr$vTbHul1N28cEp8lkLqr0f/

commands exec include show

commands exec include show version

!

parser view view3

secret 5 $1$mERr$vTbHul1N28cEp8lkLqr0f/

commands exec include show

commands exec include show clock

!

!

end



NOTE:


commands configure include router ALL  ! authorize to configure all routing protocol (ospf,eigrp,rip....).

DOWNLOAD_RBAC_LAB




Cisco Privilege Levels – Explanation and Configuration




  • Level 0 – Zero-level access only allows five commands- logout, enable, disable, help and exit.
  • Level 1 – User-level access allows you to enter in User Exec mode that provides very limited read-only access to the router.
  • Level 15 – Privilege level access allows you to enter in Privileged Exec mode and provides complete control over the router.

 

Cisco Privilege Level Configuration

To assign the specific privilege levels, we include the privilege number when indicating the username and password of the user.

Router(config)#username admin1 privilege 0 secret Study-CCNA1
Router(config)#username admin2 privilege 15 secret Study-CCNA2
Router(config)#username admin3 secret Study-CCNA3


User Access Verification

Username: admin1
Password:
Router>?
Exec commands:
disable  Turn off privileged commands
enable   Turn on privileged commands
exit     Exit from the EXEC
help     Description of the interactive help system
logout   Exit from the EXEC
 
Router>



User Access Verification

Username: admin2
Password:
Router#show privilege
current privilege level is 15

Router#




User Access Verification

Username: admin3
Password:
Router>show privilege
current privilege level is 1

Router>






Router(config)#username admin4 privilege 5 secret Study-CCNA4
Router(config)#privilege exec level 5 show running-config



User Access Verification

Username: admin4
Password:
Router#show running-config
Building configuration...
Current configuration : 57 bytes
!
boot-start-marker
boot-end-marker
!
!
!
end

Router#



Router(config)#enable secret level 5 Study-CCNA5



ser Access Verification
Username: admin5
Password:

Router>show running-config
^
% Invalid input detected at ‘^’ marker.

Router>enable 5
Password:
R4#show privilege
Current privilege level is 5

Router#show running-config
Building configuration...

Current configuration : 57 bytes
!
boot-start-marker
boot-end-marker
!
!
!
end

Router#








































































No comments:

Post a Comment

Subscribe to: Posts (Atom)

TCP_IP_ATTACKS