Module 5 Flashcards
Cisco IOS software has two methods of providing infrastructure access:
Both methods help determine who should be allowed to connect to the device and what that person should be able to do with it.
privilege level and role-based CLI.
___ access provides more granularity and control.
Role-based CLI
By default, the Cisco IOS software CLI has two levels of access to commands:
User EXEC mode (privilege level 1)
Privileged EXEC mode (privilege level 15)
This provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.
User EXEC mode (privilege level 1)
This includes all enable-level commands at the Router# prompt.
Privileged EXEC mode (privilege level 15)
There are __ privilege levels in total.
16
The ___ the privilege level, the more router access a user has.
higher
Commands that are available at ____ privilege levels are also executable at ____ levels.
lower - higher
Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
Level 0:
The default level for login with the router prompt Router >. A user cannot make any changes or view the running configuration file.
Level 1:
May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.
Levels 2 -14:
Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.
Level 15:
To assign commands to a custom privilege level, use the privilege global configuration mode command
Router(config)# privilege mode {level level(italic)|reset} command
Specifies the configuration mode. Use the privilege ? command to see a complete list of router configuration modes available on your router.
mode
(Optional) Enables setting a privilege level with a specified command.
level
(Optional) The privilege level that is associated with a command. You can specify up to 16 privilege levels, using numbers 0 to 15.
level italic
(Optional) Resets the privilege level of a command.
reset
(Optional) Argument to use when you want to reset the privilege level.
command
To configure a privilege level with specific commands, use the
privilege exec level level [command].
example
R1(config)# privilege exec level 5 ping
R1(config)# privilege exec level 10 reload
There are two methods for assigning passwords to the different privilege levels:
To a user that is granted a specific privilege level, use the username namei privilege leveli secret passwordi global configuration mode command
To the privilege level, use the enable secret level leveli passwordi global configuration mode command
Note: Both the username secret and the enable secret commands are configured for encryption.
type 9
Use the __ command to assign a privilege level to a specific user.
username
Use the ____ command to assign a privilege level to a specific EXEC mode password.
enable secret
Limitations of privilege levels
There is no access control to specific interfaces, ports, logical interfaces, and slots on a router.
Commands available at lower privilege levels are always executable at higher levels.
Commands specifically set at a higher privilege level are not available for lower privileged users.
Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to show ip route allows the user access to all show and show ip commands.
If an administrator must create a user account that has access to most but not all commands, privilege exec statements need to be configured for every command that must be executed at a privilege level lower than 15.
True
Cisco introduced the access feature in Cisco IOS Release 12.3(11)T. This feature provides finer, more granular access by controlling which commands are available to specific roles. ____ access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access.
role-based CLI
Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.
Security
Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
Availability
Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.
Operational Efficiency
Role-based CLI provides three types of views that dictate which commands are available:
Root view
CLI view
Superview
To configure any view for the system, the administrator must be in ____. __ has the same access privileges as a user who has level 15 privileges. However, a ___ is not the same as a level 15 user. Only a ___ user can configure a new view and add or remove commands from the existing views.
Root View
A specific set of commands can be bundled into a _____ . Unlike privilege levels, a ____ has no command hierarchy and no higher or lower views. Each view must be assigned all commands associated with that view. A view does not inherit commands from any other view. Additionally, the same commands can be used in multiple views.
CLI View
A _____ consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. ____ allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated with that one CLI view.
Superview
Superviews have several specific characteristics:
A single CLI view can be shared within multiple superviews.
Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.
Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
Deleting a superview does not delete the associated CLI views. The CLI views remain available to be assigned to another superview.
Configure Role-Based Views
Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.
Step 2. Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.
Step 3. Assign a secret password to the view using the secret password view configuration mode command.
Step 4. Assign commands to the selected view using the commands parser-mode command in view configuration mode.
Step 5. Exit view configuration mode by typing the exit command.
Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit and enter the root view with the enable view command.
Router# enable [view [view-name]]
This parameter enters root view if no view-name is specified, which enables an administrator to configure CLI views. The view parameter is required to configure a CLI view.
view
(Optional) This parameter enters or exits a specified CLI view. This parameter can be used to switch from one CLI view to another CLI view.
view-name
Step 2. Create a view using the parser view view-name global configuration mode command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.
Router(config)# parser view view-name
Step 3. Assign a secret password to the view using the secret password view configuration mode command.
Router(config-view)# secret password
Step 4. Assign commands to the selected view using the commands parser-mode command in view configuration mode.
Router(config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
Step 5. Exit view configuration mode by typing the exit command.
exit
Configure Role-Based CLI Superviews
Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode. Appending the keyword superview to parser view creates a superview and enters configuration mode.
Step 2. Assign a secret password to the view using the secret password command. This sets a password to protect access to the superview. The password must be created immediately after creating a view; otherwise an error message will appear.
Step 3. Assign an existing view using the view view-name command in view configuration mode. This adds a CLI view to superview. Multiple views can be added. Views may be shared between superviews.
Step 4. Exit superview configuration mode by typing the exit command.
Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode. Appending the keyword superview to parser view creates a superview and enters configuration mode.
Router(config)# parser view view-name superview
Step 2. Assign a secret password to the view using the secret password command. This sets a password to protect access to the superview. The password must be created immediately after creating a view; otherwise an error message will appear.
Router(config-view)# secret password
Step 3. Assign an existing view using the view view-name command in view configuration mode. This adds a CLI view to superview. Multiple views can be added. Views may be shared between superviews.
Router(config-view)# view view-name
To access existing views, enter the ____ command in user mode and enter the password that was assigned to the custom view. Use the same command to switch from one view to another.
enable view view-namei
Step 4. Exit superview configuration mode by typing the exit command.
exit
From the root view, use the _____ command to see a summary of all views.
show parser view all
What must be done before any role-based CLI views can be created?
issue the aaa new-model command
There are five steps involved to create a view on a Cisco router.
1) AAA must be enabled.
2) The view must be created.
3) A secret password must be assigned to the view.
4) Commands must be assigned to the view.
5) View configuration mode must be exited.
Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
no access control to specific interfaces on a router
commands set on a higher priv level are not available for lower priv user
creating user acc that needs access to most but not all commands can be a tedious process
An administrator can create customized privilege levels and assign different commands to each level. However, this method of controlling he level of access to the router has limitations. Using privilege levels access to specific interfaces or ports cannot be controlled and availability of commands cannot be customized across levels.
Which two router commands can a user issue when granted privilege level 0? (Choose two.)
help and disable
The privilege level 0 in Cisco IOS software is predefined for user-level access privileges. It is seldom used, but includes five commands: disable, enable, exit, help, and logout.
What does level 5 in the following enable secret global configuration mode command indicate?
Router(config)# enable secret level 5 csc5io
grants access to priv exec level 5
There are two methods for assigning passwords to the different privilege levels:
To a user that is granted a specific privilege level, use the username name privilege level secret password global configuration mode command.
To the privilege level, use the enable secret level level password global configuration mode command.
What are three network enhancements achieved by implementing the Cisco IOS software role-based CLI access feature? (Choose three.)
Cisco IOS software role-based CLI access feature provides benefits for network functions including:
Security - Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.
Availability - Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
Operational Efficiency - Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify.
A network administrator wants to create a new view so that a user only has access to certain configuration commands. In role-based CLI, which view should the administrator use to create the new view?
root view
In role-based CLI access implementation, a network administrator must be in root view to create a new role-based view, such as a CLI view or a superview.
A network administrator enters the command R1# enable view adminview. What is the purpose of this command?
to enter a clie view named adminview
The enable view privileged EXEC command is used to enter the root view. The optional view-name, in this case adminview, is used to enter a CLI view named adminview directly.
Which range of custom privilege levels can be configured on Cisco routers?
The privilege levels 2 -14 in Cisco IOS software may be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.
Which command will move the show interface command to privilege level 10?
router(config)# privilege exec level 10 show interface
To configure a privilege level with specific commands, use the privilege exec level level [command].
What is the default privilege level of user accounts created on Cisco routers?
1
There are 16 privilege levels that can be configured as part of the username command, ranging from 0 to 15. By default, if no level is specified, the account will have privilege level 1.
An administrator assigned a level of router access to the user ADMIN using the commands below.
Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10
Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10
Which two actions are permitted to the user ADMIN? (Choose two.)
the user can issue the show version command
the user can execute all subcommands under the show ip interfaces command
Assigning a command such as show ip route to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. So, the show and the show ip commands are automatically set to the privilege level where show ip route is set, which is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Assigning the show ip route command allows the user to issue all show commands, such as show version.
