The goals of CCNA Security are as follows: It provides a theoretically rich, hands-on introduction to network security, in a logical sequence driven by technologies. I hope you have found this lab insightful.CCNA Security 2.0 helps students develop the skills needed for entry-level network security career opportunities and prepare for the CCNA Security certification. This brings us to the end of the lab, where we have looked at privilege levels and RBAC on Cisco routers. To test this configuration, we will first login using the helpdesk username: The configuration for this task is as follows: username helpdesk secret helpdesk Therefore, a user needs to manually access a CLI view using the enable view command. On a real Cisco IOS device, we will be able to tie usernames to specific CLI views but that’s not available in Packet Tracer. The configuration to create the CLI views is as follows: parser view Helpdesk We will need to enter the enable secret to gain access to the root view: Now, to create CLI views, we must enter the root view using the enable view command from the privilege EXEC mode. Before you can use CLI views, you must enable AAA and also configure an enable password/secret as follows: aaa new-model To create views, you need to be in the root view (which is different from privilege level 15). For example, if you use the privilege configure all level 2 interface command without the “all” option, privilege level 2 users will not be able to configure any interface.Ĭhanging command privilege levels like we did in the previous task can be quite cumbersome a better way is to use CLI views. Note: You may get some unexpected behavior with the privilege level command on Packet Tracer. We can verify our configuration by logging into the router and viewing the commands available at each level: Hint: The “all” option in the command privilege configure all level 2 interface allows the sub-options under interface to be placed at the same privilege level. Privilege configure all level 2 interface Privilege exec level 2 configure terminal The configuration to allow privilege level 2 users configure interfaces is as follows: privilege exec level 2 configure Note: There may be more commands on a real Cisco IOS device than on Packet Tracer. Therefore, if we want users at privilege level 2 to be able configure interfaces, we need to move the relevant commands down to that level.īefore we make any configuration changes, look at the commands available to a user at privilege level 2: Task 2: Changing privilege level for commandsīy default, you need to be in privilege level 15 to be able to configure a Cisco IOS device. To test this configuration, we will login via Telnet again and check the privilege level we will then try to gain access to privilege level 15: Therefore, our configuration on R1 is as follows: line vty 0 4
When you configure an enable password/secret without specifying any level, you are effectively configuring an enable password/secret for privilege level 15. To do this, we can configure an enable password/secret. The task also requires that an administrator be able to access privilege level 15. For this task, we will assign a privilege level of 2 to the VTY lines. We can use the privilege level line configuration command to change the default privilege level for a VTY line. By default, when we login via Telnet to a VTY line on a Cisco IOS device, we are placed at privilege level 1 as shown below: Since this task specifies that usernames should not be configured, then the only other option we have is to configure the privilege level on the VTY lines. Assume that users will login via Telnet/SSH. In the same way, when the “NOC” user logs in, the user should use the “ enable view NOC” command to access the NOC CLI view. When the “helpdesk” user logs in, the user should use the “ enable view Helpdesk” command to access the Helpdesk CLI view.
Create two users on R2 with the following username/password credentials: helpdesk/helpdesk and NOC/NOC.