Last Updated on August 7, 2021 by Admin 3
You are creating an account for a new administrator. The administrator should only be allowed to configure IP addresses and view the running configuration.
Which of the following actions should you perform? (Select the best answer.)
- Create an ACL so that the administrator has access to the proper commands.
- Configure the administrator’s user account with a privilege level of 1.
- Configure the administrator’s user account with a privilege level of 6.
- Configure the administrator’s user account with a privilege level of 15.
- Create a rolebased CLI view, and associate it with the administrator’s user account.
You should create a rolebased commandline interface (CLI) view and associate it with the administrator’s user account. Like privilege levels, rolebased CLI views limit the IOS commands that a user can access. However, rolebased CLI views provide administrators with greater detail and flexibility in restricting command access.
Before you can create rolebased CLI views, you must first ensure that Authentication, Authorization, and Accounting (AAA) is enabled on the router by issuing the aaa newmodel command. You should then enable the root view by using the enable viewcommand. The root view contains commands equivalent to privilege level 15. Before you can configure any other CLI views, you must enable the root view.
To create a rolebased CLI view, you should issue the parser viewviewname command, which specifies the view name and places the device into parser view configuration mode. Prior to specifying any commands for the view, you must secure the view with a password by issuing the secretpassword command. After you have secured the view, you can issue one or more commands that allow or restrict access to parts of the IOS. The basic syntax of the commands command is commandsparsermode {include | includeexclusive | exclude} [all] [command]. The parsermode variable is used to indicate the mode in which the command exists. For example, the exec keyword indicates privileged EXEC mode, and the configure keyword indicates global configuration mode. The includekeyword indicates that the command should be added to this view. The exclude keyword indicates that the command should be denied to this view. The includeexclusivekeyword indicates that the command should be added to this view but not to any other superviews that might include this view? a superview is a view that consists of one or more rolebased CLI views. The all keyword indicates that all subcommands that begin with the specified command keywords should be included.
After you have created a view, you can apply it to a user account by issuing the username nameviewviewnamepassword password command. You can also test the view by issuing the enable viewviewname command and issuing the password that you specified with the password password keywords. Commands that are not available for the user’s view will not appear in the command list in contextsensitive help. Attempting to issue a command that is not included in a user’s view will display an error message just as if the command did not exist on the router, as shown in the following output:
Router>enable view NEWADMIN Password: Router#configure terminal ^ % Invalid input detected at '^' marker.
Privilege levels can be also used to limit access to CLI commands. However, you are limited to 16 privilege levels, some of which are used by default by the IOS. For example, privilege level 0 includes only the disable, enable, exit, help, and logout commands. Each privilege level contains a list of commands that are available at that level. Users assigned to a privilege level have access to all of the commands at that privilege level and all lower privilege levels. Changing the commands that are available to a privilege level might provide access to a user who should not be allowed access to the command, or it might restrict access to another user who should be allowed access to the command.
Configuring the administrator’s user account with a privilege level of 1 will not enable the administrator to configure IP addresses and to view the running configuration. Privilege level 1 allows a user to issue any command that is available at the user EXEC > prompt.
Configuring the administrator’s user account with a privilege level of 6 will not enable the administrator to configure IP addresses and to view the running configuration unless you have first configured privilege level 6 with the proper commands. By default, no commands are assigned to privilege level 6.
Configuring the administrator’s user account with a privilege level of 15 will enable the administrator to configure IP addresses and to view the running configuration. However, it will also provide access to all other commands that are available at the privileged EXEC #prompt. This will provide more access to the IOS than you want the administrator to have.
Access control lists (ACLs) can be used to limit administrative access to a router. However, you cannot limit access to particular IOS commands by using an ACL.