Cisco IOS Software Releases 12.3 T

Table Of Contents

Role-Based CLI Access

Contents

Prerequisites for Role-Based CLI Access

Restrictions for Role-Based CLI Access

Information About Role-Based CLI Access

Benefits of Using CLI Views

Root View

View Authentication via a New AAA Attribute

How to Use Role-Based CLI Access

Configuring a CLI View

Prerequisites

Troubleshooting Tips

Configuring a Lawful Intercept View

About Lawful Intercept Views

Prerequisites

Troubleshooting Tips

Configuring a Superview

About Superviews

Monitoring Views and View Users

Configuration Examples for Role-Based CLI Access

Configuring a CLI View: Example

Verifying a CLI View: Example

Configuring a Lawful Intercept View: Example

Configuring a Superview: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

commands (view)

enable

li-view

name (view)

parser view

parser view superview

secret

show parser view

show users

username

view

Role-Based CLI Access

---

The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.

Release	Modification
12.3(7)T	This feature was introduced.
12.3(11)T	The CLI view capability was extended to restrict user access on a per-interface level, and additional CLI views were introduced to support the extended view capability. Also, support to group configured CLI views into a superview was introduced.
12.2(33)SRB	This feature was integrated into Cisco IOS Release 12.2(33)SRB.

Feature History for Role-Based CLI Access

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for Role-Based CLI Access

•Restrictions for Role-Based CLI Access

•Information About Role-Based CLI Access

•How to Use Role-Based CLI Access

•Configuration Examples for Role-Based CLI Access

•Additional References

•Command Reference

Prerequisites for Role-Based CLI Access

Your image must support CLI views.

Restrictions for Role-Based CLI Access

Lawful Intercept Images Limitation

Because CLI views are a part of the Cisco IOS parser, CLI views are a part of all platforms and Cisco IOS images. However, the lawful intercept view is available only in images that contain the lawful intercept subsystem.

Maximum Number of Allowed Views

The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include the root view.)

Information About Role-Based CLI Access

To create and use views, you should understand the following concepts:

•Benefits of Using CLI Views

•Root View

•View Authentication via a New AAA Attribute

Benefits of Using CLI Views

Views: Detailed Access Control

Although users can control CLI access via both privilege levels and enable mode passwords, these functions do not provide network administrators with the necessary level of detail needed when working with Cisco IOS routers and switches. CLI views provide a more detailed access control capability for network administrators, thereby, improving the overall security and accountability of Cisco IOS software.

As of Cisco IOS Release 12.3(11)T, network administrators can also specify an interface or a group of interfaces to a view; thereby, allowing access on the basis of specified interfaces.

Root View

When a system is in "root view," it has all of the access privileges as a user who has level 15 privileges. If the administrator wishes to configure any view to the system (such as a CLI view, a superview, or a lawful intercept view), the system must be in root view.

The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. Also, when you are in a CLI view, you have access only to the commands that have been added to that view by the root view user.

View Authentication via a New AAA Attribute

View authentication is performed by an external authentication, authorization, and accounting (AAA) server via the new attribute "cli-view-name."

AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.

How to Use Role-Based CLI Access

This section contains the following procedures:

•Configuring a CLI View (required)

•Configuring a Lawful Intercept View (optional)

•Configuring a Superview (optional)

•Monitoring Views and View Users (optional)

Configuring a CLI View

Use this task to create a CLI view and add commands or interfaces to the view, as appropriate.

Prerequisites

Before you create a view, you must perform the following tasks:

•Enable AAA via the aaa new-model command. (For more information on enabling AAA, see the chapter "Configuring Authentication" in the Cisco IOS Security Configuration Guide, Release 12.3.

•Ensure that your system is in root view—not privilege level 15.

SUMMARY STEPS

1. enable view

2. configure terminal

3. parser view view-name

4. secret 5 encrypted-password

5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

6. exit

7. exit

8. enable [privilege-level] [view view-name]

9. show parser view [all]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable view Example: Router> enable view	Enables root view. •Enter your privilege level 15 password (for example, root password) if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	parser view view-name Example: Router(config)# parser view first	Creates a view and enters view configuration mode.
Step 4	secret 5 encrypted-password Example: Router(config-view)# secret 5 secret	Associates a command-line interface (CLI) view or superview with a password. Note You must issue this command before you can configure additional attributes for the view.
Step 5	commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] Example: Router(config-view)# commands exec include show version	Adds commands or interfaces to a view. •parser-mode—The mode in which the specified command exists. •include—Adds a command or an interface to the view and allows the same command or interface to be added to an additional view. •include-exclusive—Adds a command or an interface to the view and excludes the same command or interface from being added to all other views. •exclude—Excludes a command or an interface from the view; that is, customers cannot access a command or an interface. •all—A "wildcard" that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view. •interface interface-name— Interface that is added to the view. •command—Command that is added to the view.
Step 6	exit Example: Router(config-view)# exit	Exits view configuration mode.
Step 7	exit Example: Router(config)# exit	Exits global configuration mode.
Step 8	enable [privilege-level] [view view-name] Example: Router# enable view first	Prompts the user for a password, which allows the user to access a configured CLI view, and is used to switch from one view to another view. After the correct password is given, the user can access the view.
Step 9	show parser view [all] Example: Router# show parser view	(Optional) Displays information about the view that the user is currently in. •all—Displays information for all views that are configured on the router. Note Although this command is available for both root and lawful intercept users, the all keyword is available only to root users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view and CLI view.

Troubleshooting Tips

After you have successfully created a view, a system message such as the following will be displayed:

%PARSER-6-VIEW_CREATED: view `first' successfully created.

After you have successfully deleted a view, a system message such as the following will be displayed:

%PARSER-6-VIEW_DELETED: view `first' successfully deleted.

You must associate a password with a view. If you do not associate a password, and you attempt to add commands to the view via the commands command, a system message such as the following will be displayed:

%Password not set for view <viewname>.

Configuring a Lawful Intercept View

Use this task to initialize and configure a view for lawful-intercept-specific commands and configuration information. (Only an administrator or a user who has level 15 privileges can initialize a lawful intercept view.)

About Lawful Intercept Views

Like a CLI view, a lawful intercept view restricts access to specified commands and configuration information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that store information about calls and users.

Commands available in lawful intercept view belong to one of the following categories:

•Lawful intercept commands that should not be made available to any other view or privilege level

•CLI views that are useful for lawful intercept users but do not have to be excluded from other views or privilege levels

Prerequisites

Before you initialize a lawful intercept view, ensure that the privilege level is set to 15 via the privilege command.

SUMMARY STEPS

1. enable view

2. configure terminal

3. li-view li-password user username password password

4. username [lawful-intercept] name [privilege privilege-level | view view-name] password password

5. parser view view-name

6. secret 5 encrypted-password

7. name new-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable view Example: Router> enable view	Enables root view. •Enter your privilege level 15 password (for example, root password) if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	li-view li-password user username password password Example: Router(config)# li-view lipass user li_admin password li_adminpass	Initializes a lawful intercept view. After the li-view is initialized, you must specify at least one user via user username password password options.
Step 4	username [lawful-intercept [name] [privilege privilege-level | view view-name] password password Example: Router(config)# username lawful-intercept li-user1 password li-user1pass	Configures lawful intercept users on a Cisco device.
Step 5	parser view view-name Example: Router(config)# parser view li view name	(Optional) Enters view configuration mode, which allows you to change the lawful intercept view password or the lawful intercept view name.
Step 6	secret 5 encrypted-password Example: Router(config-view)# secret 5 secret	(Optional) Changes an existing password for a lawful intercept view.
Step 7	name new-name Example: Router(config-view)# name second	(Optional) Changes the name of a lawful intercept view. If this command is not issued, the default name of the lawful intercept view is "li-view."

Troubleshooting Tips

To display information for all users who have access to a lawful intercept view, issue the show users lawful-intercept command. (This command is available only to authorized lawful intercept view users.)

Configuring a Superview

Use this task to create a superview and add at least one CLI view to the superview.

About Superviews

A superview consists of one or more CLI views, which allow users to define what commands are accepted and what configuration information is visible. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users.

Superviews contain the following characteristics:

•A CLI view can be shared among multiple superviews.

•Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview.

•Users who are logged into a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.

•Each superview has a password that is used to switch between superviews or from a CLI view to a superview.

•If a superview is deleted, all CLI views associated with that superview will not be deleted too.

Adding CLI Views to a Superview

You can add a view to a superview only after a password has been configured for the superview (via the secret 5 command). Thereafter, issue the view command in view configuration mode to add at least one CLI view to the superview.

---

Note Before adding a CLI view to a superview, ensure that the CLI views that are added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.

---

SUMMARY STEPS

1. enable view

2. configure terminal

3. parser view superview-name superview

4. secret 5 encrypted-password

5. view view-name

6. exit

7. exit

8. show parser view [all]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable view Example: Router> enable view	Enables root view. •Enter your privilege level 15 password (for example, root password) if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	parser view superview-name superview Example: Router(config)# parser view su_view1 superview	Creates a superview and enters view configuration mode.
Step 4	secret 5 encrypted-password Example: Router(config-view)# secret 5 secret	Associates a CLI view or superview with a password. Note You must issue this command before you can configure additional attributes for the view.
Step 5	view view-name Example: Router(config-view)# view view_three	Adds a normal CLI view to a superview. Issue this command for each CLI view that is to be added to a given superview.
Step 6	exit Example: Router(config-view)# exit	Exits view configuration mode.
Step 7	exit Example: Router(config)# exit	Exits global configuration mode.
Step 8	show parser view [all] Example: Router# show parser view	(Optional) Displays information about the view that the user is currently in. •all—Displays information for all views that are configured on the router. Note Although this command is available for both root and lawful intercept users, the all keyword is available only to root users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view and CLI view.

Monitoring Views and View Users

To display debug messages for all views—root, CLI, lawful intercept, and super, use the debug parser view command in privileged EXEC mode.

Configuration Examples for Role-Based CLI Access

This section contains the following configuration examples:

•Configuring a CLI View: Example

•Verifying a CLI View: Example

•Configuring a Lawful Intercept View: Example

•Configuring a Superview: Example

Configuring a CLI View: Example

The following example shows how to configure two CLI views, "first" and "second." Thereafter, you can verify the CLI view in the running configuration.

Router(config)# parser view first

00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created. 

Router(config-view)# secret 5 firstpass

Router(config-view)# command exec include show version

Router(config-view)# command exec include configure terminal

Router(config-view)# command exec include all show ip

Router(config-view)# exit

Router(config)# parser view second

00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.

Router(config-view)# secret 5 secondpass

Router(config-view)# command exec include-exclusive show ip interface

Router(config-view)# command exec include logout

Router(config-view)# exit

!

!

Router(config-view)# do show run | beg view

parser view first

 secret 5 $1$MCmh$QuZaU8PIMPlff9sFCZvgW/

 commands exec include configure terminal

 commands exec include configure

 commands exec include all show ip

 commands exec include show version

 commands exec include show

!

parser view second

 secret 5 $1$iP2M$R16BXKecMEiQesxLyqygW.

 commands exec include-exclusive show ip interface

 commands exec include show ip

 commands exec include show

 commands exec include logout

!

Verifying a CLI View: Example

After you have configured the CLI views "first" and "second," you can issue the enable view command to verify which commands are available in each view. The following example shows which commands are available inside the CLI view "first" after the user has logged into this view. (Because the show ip command is configured with the all option, a complete set of suboptions is shown, except the show ip interface command, which is using the include-exclusive keyword in the second view.)

Router# enable view first

Password:

00:28:23:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.

Router# ?

Exec commands:

  configure  Enter configuration mode

  enable     Turn on privileged commands

  exit       Exit from the EXEC

  show       Show running system information

Router# show ?

  ip       IP information

  parser   Display parser information

  version  System hardware and software status

Router# show ip ? 

  access-lists            List IP access lists

  accounting              The active IP accounting database

  aliases                 IP alias table

  arp                     IP ARP table

  as-path-access-list     List AS path access lists

  bgp                     BGP information

  cache                   IP fast-switching route cache

  casa                    display casa information

  cef                     Cisco Express Forwarding

  community-list          List community-list

  dfp                     DFP information

  dhcp                    Show items in the DHCP database

  drp                     Director response protocol

  dvmrp                   DVMRP information

  eigrp                   IP-EIGRP show commands

  extcommunity-list       List extended-community list

  flow                    NetFlow switching

  helper-address          helper-address table

  http                    HTTP information

  igmp                    IGMP information

  irdp                    ICMP Router Discovery Protocol

.

.

.

Configuring a Lawful Intercept View: Example

The following example shows how to configure a lawful intercept view, add users to the view, and verify the users that were added:

!Initialize the LI-View.

Router(config-view)# li-view lipass user li_admin password li_adminpass

00:19:25:%PARSER-6-LI_VIEW_INIT:LI-View initialized.

Router(config-view)# end

! Enter the LI-View; that is, check to see what commands are available within the view.

Router# enable view li-view

Password:

Router#

00:22:57:%PARSER-6-VIEW_SWITCH:successfully set to view 'li-view'.

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# parser view li-view 

Router(config-view)# ?

View commands:

  commands  Configure commands for a view

  default   Set a command to its defaults

  exit      Exit from view configuration mode

  name      New LI-View name      ===This option only resides in LI View.

  no        Negate a command or set its defaults

  password  Set a password associated with CLI views

Router(config-view)#

! NOTE:LI View configurations are never shown as part of `running-configuration'.

! Configure LI Users.

Router(config)# username lawful-intercept li-user1 password li-user1pass 

Router(config)# username lawful-intercept li-user2 password li-user2pass

! Displaying LI User information.

Router# show users lawful-intercept

li_admin     

li-user1     

li-user2     

Router#

Configuring a Superview: Example

The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":

!

parser view su_view1 superview

 secret 5 <encoded password>

 view view_one

 view view_two

!

parser view su_view2 superview

 secret 5 <encoded password>

 view view_three

 view view_four

!

Additional References

The following sections provide references related to Role-Based CLI Access.

Related Documents

Related Topic	Document Title
SNMP, MIBs, CLI configuration	Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.3
Privilege levels	Cisco IOS Security Configuration Guide, Release 12.3

Standards

Standards	Title
None	—

MIBs

MIBs	MIBs Link
None	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
None	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents only new and modified commands.

New Commands in Cisco IOS Release 12.3(7)T and 12.2(33)SRB

•commands (view)

•li-view

•name (view)

•parser view

•show parser view

New Commands in Cisco IOS Release 12.3(11)T and 12.2(33)SRB

•parser view superview

•view

New Command in Cisco IOS Release 12.3(14)T

•secret

Modified Commands in Cisco IOS Release 12.3(7)T and 12.2(33)SRB

•enable

•show users

•username

Modified Commands in Cisco IOS Release 12.3(11)T and 12.2(33)SRB

•commands (view)

commands (view)

To add commands or an interface to a command-line interface (CLI) view, use the commands command in view configuration mode. To delete a command or an interface from a CLI view, use the no form of this command.

Syntax for Adding and Deleting Commands to a View

commands parser-mode {include | include-exclusive | exclude} [all] [command]

no commands parser-mode {include | include-exclusive | exclude} [all] [command]

Syntax for Adding and Deleting Interfaces to a View

commands parser-mode {include | include-exclusive} [all] [interface interface-name] [command]

no commands parser-mode {include | include-exclusive} [all] [interface interface-name] [command]

Syntax Description

parser-mode	Mode in which the specified command exists. See Table 1 in the "Usage Guidelines" section for a list of available options for this argument.
include	Adds a specified command or a specified interface to the view and allows the same command or interface to be added to an additional view.
include-exclusive	Adds a specified command or a specified interface to the view and excludes the same command or interface from being added to all other views.
exclude	Denies access to commands in the specified parser mode. Note This keyword is available only for command-based views.
all	(Optional) A "wildcard" that allows every command in a specified configuration mode that begins with the same keyword or every subinterface within a specified interface to be part of the view.
interface interface-name	(Optional) Interface that is added to the view.
command	(Optional) Command that is added to the view. Note If no commands are specified, all commands within the specified parser mode are included or excluded, as appropriate.

Defaults

If this command is not enabled, a view will not have adequate information to deny or allow access to users.

Command Modes

View configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.3(11)T	The exclude keyword and the interface interface-name option were added.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

If a network administrator does not enter a specific command (via the command argument) or interface (via the interface interface-name option), users are granted access (via the include or include-exclusive keywords) or denied access (via the exclude keyword) to all commands within the specified parser-mode.

parser-mode Options

Table 1 shows some of the keyword options for the parser-mode argument in the commands command. The available mode keywords vary depending on your hardware and software version. To see a list of available mode options on your system, use the commands ? command.

Table 1 parser-mode Argument Options 

Command	Description
accept-dialin	VPDN group accept dialin configuration mode
accept-dialout	VPDN group accept dialout configuration mode
address-family	Address Family configuration mode
alps-ascu	ALPS ASCU configuration mode
alps-circuit	ALPS circuit configuration mode
atm-bm-config	ATM bundle member configuration mode
atm-bundle-config	ATM bundle configuration mode
atm-vc-config	ATM virtual circuit configuration mode
atmsig_e164_table_mode	ATMSIG E164 Table
cascustom	Channel-associated signalling (cas) custom configuration mode
config-rtr-http	RTR HTTP raw request Configuration
configure	Global configuration mode
controller	Controller configuration mode
crypto-map	Crypto map config mode
crypto-transform	Crypto transform config modeCrypto transform configuration mode
dhcp	DHCP pool configuration mode
dspfarm	DSP farm configuration mode
exec	EXEC mode
flow-cache	Flow aggregation cache configuration mode
gateway	Gateway configuration mode
interface	Interface configuration mode
interface-dlci	Frame Relay DLCI configuration mode
ipenacl	IP named extended access-list configuration mode
ipsnacl	IP named simple access-list configuration mode
ip-vrf	Configure IP VRF parameters
lane	ATM Lan Emulation Lecs Configuration Table
line	Line configuration mode
map-class	Map class configuration mode
map-list	Map list configuration mode
mpoa-client	MPOA Client
mpoa-server	MPOA Server
null-interface	Null interface configuration mode
preaut	AAA Preauth definitions
request-dialin	VPDN group request dialin configuration mode
request-dialout	VPDN group request dialout configuration mode
route-map	Route map configuration mode
router	Router configuration mode
rsvp_policy_local	RSVP local policy configuration mode
rtr	RTR Entry Configuration
sg-radius	RADIUS server group definition
sg-tacacs+	TACACS+ server group
sip-ua	SIP UA configuration mode
subscriber-policy	Subscriber policy configuration mode
tcl	Tcl mode
tdm-conn	TDM connection configuration mode
template	Template configuration mode
translation-rule	Translation Rule configuration mode
vc-class	VC class configuration mode
voiceclass	Voice Class configuration mode
voiceport	Voice configuration mode
voipdialpeer	Dial Peer configuration mode
vpdn-group	VPDN group configuration mode

Examples

The following example shows how to add the privileged EXEC command show version to both CLI views "first" and "second." Because the include keyword was issued, the show version command can be added to both views.

Router(config)# parser view first

Router(config-view)# secret 5 secret

Router(config-view)# commands exec include show version

!

Router(config)# parser view second

Router(config-view)# secret 5 myview

Router(config-view)# commands exec include show version

The following example shows how to allow users in the view "first" to execute all commands that start with the word "show" except the show interfaces command, which is excluded by the view "second":

Router(config)# parser view first

Router(config-view)# secret 5 secret

Router(config-view)# commands exec include all show 

!

Router(config)# parser view second

Router(config-view)# secret 5 myview

Router(config-view)# commands exec include-exclusive show interfaces

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.
secret 5	Associates a CLI view or a superview with a password.

enable

To enter privileged EXEC mode, or any other security level set by a system administrator, use the enable command in user EXEC or privileged EXEC mode.

enable [privilege-level] [view [view-name]]

Syntax Description

privilege-level	(Optional) Privilege level at which to log in.
view	(Optional) Enters into root view, which enables users to configure CLI views. Note This keyword is required if you want to configure a CLI view.
view-name	(Optional) Enters or exits a specified command-line interface (CLI) view. This keyword can be used to switch from one CLI view to another CLI view.

Defaults

Privilege-level 15 (privileged EXEC)

Command Modes

User EXEC

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.
12.3(7)T	The view keyword and view-name argument were added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SRB	The view keyword and view-name argument were integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

Entering privileged EXEC mode enables the use of privileged commands. Because many of the privileged commands set operating parameters, privileged access should be password-protected to prevent unauthorized use. If the system administrator has set a password with the enable password global configuration command, you are prompted to enter the password before being allowed access to privileged EXEC mode. The password is case sensitive.

If an enable password has not been set, only enable mode can be accessed through the console connection.

Security levels can be set by an administrator using the enable password and privilege level commands. Up to 16 privilege levels can be specified, using the numbers 0 through 15. Using these privilege levels, the administrator can allow or deny access to specific commands. Privilege level 0 is associated with user EXEC mode, and privilege level 15 is associated with privileged EXEC mode.

For more information on defined privilege levels, see the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference publications.

If a level is not specified when entering the enable command, the user will enter the default mode of privileged EXEC (level 15).

Accessing a CLI View

CLI views restrict user access to specified CLI and configuration information. To configure and access CLI views, users must first enter into root view, which is accomplished via the enable view command (without the view-name argument). Thereafter, users are prompted for a password, which is the same password as the privilege level 15 password.

The view-name argument is used to switch from one view to another view.

To prevent dictionary attacks, a user is prompted for a password even if an incorrect view name is given. The user is denied access only after an incorrect view name and password are given.

Examples

In the following example, the user enters privileged EXEC mode using the enable command. The system prompts the user for a password before allowing access to the privileged EXEC mode. The password is not printed to the screen. The user then exits back to user EXEC mode using the disable command. Note that the prompt for user EXEC mode is the greater than symbol (>), and the prompt for privileged EXEC mode is the number sign (#).

Router> enable

Password: <letmein>

Router# disable

Router>

This following example shows which commands are available inside the CLI view "first" after the user has logged into this view:

Router# enable view first

Password:

00:28:23:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.

Router# ?

Exec commands:

  configure  Enter configuration mode

  enable     Turn on privileged commands

  exit       Exit from the EXEC

  show       Show running system information

Router# show ?

  ip       IP information

  parser   Display parser information

  version  System hardware and software status

Router# show ip ? 

  access-lists            List IP access lists

  accounting              The active IP accounting database

  aliases                 IP alias table

  arp                     IP ARP table

  as-path-access-list     List AS path access lists

  bgp                     BGP information

  cache                   IP fast-switching route cache

  casa                    display casa information

  cef                     Cisco Express Forwarding

  community-list          List community-list

  dfp                     DFP information

  dhcp                    Show items in the DHCP database

  drp                     Director response protocol

  dvmrp                   DVMRP information

  eigrp                   IP-EIGRP show commands

  extcommunity-list       List extended-community list

  flow                    NetFlow switching

  helper-address          helper-address table

  http                    HTTP information

  igmp                    IGMP information

  irdp                    ICMP Router Discovery Protocol

.

.

.

The following command shows how to issue the enable view command to switch from the root view to the CLI view "first":

Router# enable view

Router# 

01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.

Router# 

! Enable the show parser view command from the root view

Router# show parser view

Current view is 'root'

! Enable the show parser view command from the root view to display all views

Router# show parser view all

Views Present in System:

View Name:   first 

View Name:   second 

! Switch to the CLI view "first."

Router# enable view first 

Router#

01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.

! Enable the show parser view command from the CLI view "first."

Router# show parser view

Current view is 'first'

Related Commands

Command	Description
disable	Exits from privileged EXEC mode to user EXEC mode, or, if privilege levels are set, to the specified privilege level.
enable password	Sets a local password to control access to various privilege levels.
privilege level (global)	Sets a privilege level for a command.
privilege level (line)	Sets a privilege level for a command for a specific line.

li-view

To initialize a lawful intercept view, use the li-view command in global configuration mode.

li-view li-password user username password password

Syntax Description

li-password	Associates the lawful interface view with a password. The password can contain any number of alphanumeric characters. Note The password is case sensitive.
user username	User who can access the lawful intercept view.
password password	Associates a password with the specified user username option; that is, the user must provide the specified password to access the view.

Defaults

A lawful intercept view cannot be accessed.

Command Modes

Global configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

Like a command-line interface (CLI) view, a lawful intercept view restricts access to specified commands and configuration information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that stores information about calls and users.

Commands available in lawful intercept view belong to one of the following categories:

•Lawful intercept commands that should not be made available to any other view or privilege level.

•CLI that are useful for lawful intercept users but do not need to be excluded from other views or privilege levels.

---

Note Only a system administrator or a level 15 privilege user can initialize a lawful intercept view.

---

Examples

The following example shows how to configure a lawful intercept view, add users to the view, and verify the users that were added to the view:

!Initialize the LI-View.

Router(config-view)# li-view lipass user li_admin password li_adminpass

00:19:25:%PARSER-6-LI_VIEW_INIT:LI-View initialized.

Router(config-view)# end

! Enter the LI-View; that is, check to see what commands are available within the view.

Router# enable view li-view

Password:

Router#

00:22:57:%PARSER-6-VIEW_SWITCH:successfully set to view 'li-view'.

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# parser view li-view 

Router(config-view)# ?

View commands:

  commands  Configure commands for a view

  default   Set a command to its defaults

  exit      Exit from view configuration mode

  name      New LI-View name      ===This option only resides in LI View.

  no        Negate a command or set its defaults

  password  Set a password associated with CLI views

Router(config-view)#

! NOTE:LI View configurations are never shown as part of `running-configuration'.

! Configure LI Users.

Router(config)# username lawful-intercept li-user1 password li-user1pass 

Router(config)# username lawful-intercept li-user2 password li-user2pass

! Displaying LI User information.

Router# show users lawful-intercept

li_admin     

li-user1     

li-user2     

Router#

Related Commands

Command	Description
show users	Displays information about the active lines on the router.
username	Establishes a username-based authentication system.

name (view)

To change the name of a lawful intercept view, use the name command in view configuration mode. To return to the default lawful intercept view name, which is "li-view," use the no form of this command.

name new-name

no name new-name

Syntax Description

new-name

Lawful intercept view name.

Defaults

A lawful intercept view is called "li-view."

Command Modes

View configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

Only a system administrator or a level 15 privilege user can change the name of a lawful intercept view.

Examples

The following example shows how to configure a lawful intercept view and change the view name to "myliview":

!Initialize the LI-View.

Router(config-view)# li-view lipass user li_admin password li_adminpass

00:19:25:%PARSER-6-LI_VIEW_INIT:LI-View initialized.

Router(config-view)# name myliview

Router(config-view)# end

Related Commands

Command	Description
li-view	Creates a lawful intercept view.
parser view	Creates or changes a CLI view and enters view configuration mode.

parser view

To create or change a command-line interface (CLI) view and enter view configuration mode, use the parser view command in global configuration mode. To delete a view, use the no form of this command.

parser view view-name

no parser view view-name

Syntax Description

view-name

View name, which can include 1 to 30 alphanumeric characters. The view-name argument must not have a number as the first character; otherwise, you will receive the following error message: "Invalid view name."

Defaults

A CLI view does not exist.

Command Modes

Global configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

A CLI view is a set of operational commands and configuration capabilities that restrict user access to the CLI and configuration information; that is, a view allows users to define what commands are accepted and what configuration information is visible.

After you have issued the parser view command, you can configure the view via the secret 5 command and the commands command.

To use the parser view command, the system of the user must be set to root view. The root view can be enabled via the enable view command.

Examples

The following example show how to configure two CLI views, "first" and "second."

Router(config)# parser view first

00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created. 

Router(config-view)# secret 5 firstpass

Router(config-view)# command exec include show version

Router(config-view)# command exec include configure terminal

Router(config-view)# command exec include all show ip

Router(config-view)# exit

Router(config)# parser view second

00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.

Router(config-view)# secret 5 secondpass

Router(config-view)# command exec include-exclusive show ip interface

Router(config-view)# command exec include logout

Router(config-view)# exit

After you have successfully created a view, a system message such as the following will be displayed:

%PARSER-6-VIEW_CREATED: view `first' successfully created.

After you have successfully deleted a view, a system message such as the following will be displayed:

%PARSER-6-VIEW_DELETED: view `first' successfully deleted.

Related Commands

Command	Description
commands (view)	Adds commands to a CLI view.
secret 5	Associates a CLI view or a superview with a password.

parser view superview

To create a superview and enter view configuration mode, use the parser view superview command in global configuration mode. To delete a superview, use the no form of this command.

parser view superview-name superview

no parser view superview-name superview

Syntax Description

superview-name

Superview name, which can include 1 to 30 alphanumeric characters. The superview-name argument must not have a number as the first character.

Defaults

A superview does not exist.

Command Modes

Global configuration

Command History

Release	Modification
12.3(11)T	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

A superview consists of one or more command-line interface (CLI) views, which allow users to define what commands are accepted and what configuration information is visible. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users.

Superviews contain the following characteristics:

•A CLI view can be shared among multiple superviews.

•Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview.

•Users who are logged into a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.

•Each superview has a password that is used to switch between superviews or from a CLI view to a superview.

Adding CLI Views to a Superview

You can add a view to a superview only after a password has been configured for the superview (via the secret 5 command). Thereafter, issue the view command in view configuration mode to add at least one CLI view to the superview.

---

Note Before adding a CLI view to a superview, ensure that the CLI views that are added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.

---

Examples

The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":

!

parser view su_view1 superview

 secret 5 <encoded password>

 view view_one

 view view_two

!

parser view su_view2 superview

 secret 5 <encoded password>

 view view_three

 view view_four

!

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.
secret 5	Associates a CLI view or a superview with a password.
view	Adds a normal CLI view to a superview.

secret

To associate a command-line interface (CLI) view or a superview with a password, use the secret command in view configuration mode.

secret {unencrypted-password | 0 unencrypted-password | 5 encrypted-password}

Syntax Description

unencrypted-password	Nonencrypted password. A password can contain any combination of alphanumeric characters. The password is case sensitive. This clear-text password will be encrypted using the Message Digest 5 (MD5) method.
0	Specifes that an unencrypted password will follow.
5	Specifes that an encrypted password will follow.
encrypted-password	Encrypted password that you enter and that is copied from another router configuration.

Defaults

User cannot access a CLI view or superview.

Command Modes

View configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

A user cannot access any commands within the CLI view or superview until the secret command has been issued.

---

Note The password cannot be removed, but you can overwrite it.

---

Examples

The following examples show how to configure two CLI views, "first" and "second," and associate each view with a password:

CLI View "first"

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# parser view first

Router(config-view)# 

*Dec  9 05:20:03.039: %PARSER-6-VIEW_CREATED: view 'first' successfully created.

Router(config-view)# secret firstpassword

Router(config-view)# secret secondpassword

% Overwriting existing secret for the current view

Router(config-view)# secret 0 thirdpassword

% Overwriting existing secret for the current view

Router(config-view)# secret 5 $1$jj1e$vmYyRbmj5UoU96tT1x7eP1

% Overwriting existing secret for the current view

Router(config-view)# secret 5 invalidpassword

ERROR: The secret you entered is not a valid encrypted secret.

To enter an UNENCRYPTED secret, do not specify type 5 encryption.

When you properly enter an UNENCRYPTED secret, it will be encrypted.

Router(config-view)# command exec include show version

Router(config-view)# command exec include configure terminal

Router(config-view)# command configure include all ip

Router(config-view)# exit

CLI View "second"

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# parser view second

Router(config-view)#

*Dec 30 06:11:52.915: %PARSER-6-VIEW_CREATED: view 'second' successfully created.

Router(config-view)# secret mypasswd 

Router(config-view)# commands exec include ping

Router(config-view)# end

Router# show running-config

parser view second

 secret 5 $1$PWs8$lz3lSx6OqAnFrUx2hkI0w0

 commands exec include ping

!

The following is an example of show running-config output for a situation in which the secret 
command has been configured using a level 5 encrypted password:

Router: show running-config

parser view first

 secret 5 $1$jj1e$vmYyRbmj5UoU96tT1x7eP1

 commands configure include all ip

 commands exec include configure terminal

 commands exec include configure

 commands exec include show version

 commands exec include show

!

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.

show parser view

To display command-line interface (CLI) view information, use the show parser view command in privileged EXEC mode.

show parser view [all]

Syntax Description

all	(Optional) Displays information about all CLI views that are configured on the router.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

The show parser view command will display information only about the view that the user is currently in. This command is available for both root view users and lawful intercept view users—except for the all keyword, which is available only to root view users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view.

The show parser view command cannot be excluded from any view.

Examples

The following example shows how to display information from the root view and the CLI view "first":

Router# enable view

Router# 

01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.

Router# 

! Enable the show parser view command from the root view

Router# show parser view 

Current view is 'root'

! Enable the show parser view command from the root view to display all views

Router# show parser view all 

Views Present in System:

View Name:   first 

View Name:   second 

! Switch to the CLI view "first."

Router# enable view first 

Router#

01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.

! Enable the show parser view command from the CLI view "first."

Router# show parser view

Current view is 'first'

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.

show users

To display information about the active lines on the router, use the show users command in privileged EXEC mode.

show users [all] [lawful-intercept]

Syntax Description

all	(Optional) Specifies that all lines be displayed, regardless of whether anyone is using them.
lawful-intercept	(Optional) Displays lawful-intercept users.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.
12.3(7)T	The lawful-intercept keyword was introduced.
12.2(33)SRB	The lawful-intercept keyword was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

This command displays the line number, connection name, idle time, hosts (including virtual access interfaces), and terminal location. An asterisk (*) indicates the current terminal session.

If the lawful-intercept keyword is issued, the names of all users who have access to a configured lawful intercept view will be displayed. To access the show users lawful-intercept command, you must be an authorized lawful-intercept-view user.

Examples

The following is sample output from the show users command:

Router# show users

     	Line          	User	           Host(s)	       Idle Location

     	0 con 0	                      	idle

*    	2 vty 0       	user1          	idle           	0   SERVICE1.CISCO.COM

The following is sample output identifying an active virtual access interface:

Router# show users

Line         User      Host(s)                 Idle    Location

*  0 con 0             idle                    01:58

  10 vty 0             Virtual-Access2          0      1212321

The following is sample output from the show users all command:

Router# show users all

	   Line      	User         	Host(s)     	Idle  Location

*  	0 vty 0	   user1        	idle         0    SERVICE1.CISCO.COM

   	1 vty 1

	   2 con 0

	   3 aux 0

	   4 vty 2

Table 2 describes the significant fields shown in the displays.

Table 2 show users Field Descriptions 

Field	Description
Line	Contains three subfields: •The first subfield (0 in the sample output) is the absolute line number. •The second subfield (vty in the sample output) indicates the type of line. Possible values follow: con—console aux—auxiliary port tty—asynchronous terminal port vty—virtual terminal •The third subfield (0 in the * sample output) indicates the relative line number within the type.
User	User using the line. If no user is listed in this field, no one is using the line.
Host(s)	Host to which the user is connected (outgoing connection). A value of idle means that there is no outgoing connection to a host.
Idle	Interval (in minutes) since the user has entered something.
Location	Either the hard-wired location for the line or, if there is an incoming connection, the host from which incoming connection came.

The following sample output from the show users lawful intercept command, shows three LI-View users on the system—li_admin, li-user1, and li-user2":

Router# show users lawful-intercept 

li_admin     

li-user1     

li-user2     

Router#

Related Commands

Command	Description
line	Identifies a specific line for configuration and starts the line configuration command collection mode.
li-view	Creates a lawful intercept view.
show line	Displays the parameters of a terminal line.
username	Establishes a username-based authentication system.

username

To establish a username-based authentication system, use the username command in global configuration mode. Use the no form of this command to remove an established username-based authentication.

username name {nopassword | password password | password encryption-type encrypted-password}

username name password secret

username name [access-class number]

username name [autocommand command]

username name [callback-dialstring telephone-number]

username name [callback-rotary rotary-group-number]

username name [callback-line [tty] line-number [ending-line-number]]

username name dnis

username name [nocallback-verify]

username name [noescape] [nohangup]

username name [privilege level]

username name user-maxlinks number

username [lawful-intercept] name [privilege privilege-level | view view-name] password password

no username name

Syntax Description

name	Host name, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.
nopassword	No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.
password	Specifies a possibly encrypted password for this username.
password	Password a user enters.
encryption-type	Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.
encrypted-password	Encrypted password a user enters.
password	Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
secret	For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.
access-class	(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.
number	(Optional) Access list number.
autocommand	(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
command	(Optional) The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
callback-dialstring	(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.
telephone-number	(Optional) For asynchronous callback only: telephone number to pass to the DCE device.
callback-rotary	(Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected.
rotary-group-number	(Optional) For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.
callback-line	(Optional) For asynchronous callback only: specific line on which you enable a specific username for callback.
tty	(Optional) For asynchronous callback only: standard asynchronous line.
line-number	(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.
ending-line-number	(Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.
dnis	Do not require password when obtained via DNIS.
nocallback-verify	(Optional) Authentication not required for EXEC callback on the specified line.
noescape	(Optional) Prevents a user from using an escape character on the host to which that user is connected.
nohangup	(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.
privilege	(Optional) Sets the privilege level for the user.
level	(Optional) Number between 0 and 15 that specifies the privilege level for the user.
user-maxlinks	Limit the user's number of inbound links.
number	User-maxlinks limit for inbound links.
lawful-intercept	(Optional) Configures lawful intercept users on a Cisco device.
name	Host name, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.
privilege	(Optional) Sets the privilege level for the user.
privilege-level	(Optional) Number between 0 and 15 that specifies the privilege level for the user.
view	(Optional) For command-line interface (CLI) view only: associates a CLI view name with the local authentication, authorization, and accounting (AAA) database.
view-name	(Optional) For CLI view only: view name, which was specified via the parser view command, that is to be associated with the AAA local database.
password password	Password to access the CLI view.

Defaults

No username-based authentication system is established.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.
11.1	The following keywords and arguments were added: •username name [callback-dialstring telephone-number] •username name [callback-rotary rotary-group-number] •username name [callback-line [tty] line-number [ending-line-number]] •username name [nocallback-verify]
12.3(7)T	The following keywords and arguments were added: •lawful-intercept •view •view-name
12.2(33)SRB	The following keywords and arguments were integrated into Cisco IOS Release 12.2(33)SRB: •lawful-intercept •view •view-name

Usage Guidelines

The username command provides username or password authentication, or both, for login purposes only.

Multiple username commands can be used to specify options for a single user.

Add a username entry for each remote system with which the local router communicates and from which it requires authentication. The remote device must have a username entry for the local router. This entry must have the same password as the local router's entry for that remote device.

This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password but connects the user to a general purpose information service.

The username command is required as part of the configuration for the Challenge Handshake Authentication Protocol (CHAP). Add a username entry for each remote system from which the local router requires authentication.

---

Note To enable the local router to respond to remote CHAP challenges, one username name entry must be the same as the hostname entry that has already been assigned to the other router.

---

---

Note To avoid the situation of a privilege level 1 user entering into a higher privilege level, configure a per-user privilege level other than 1 (for example, 0 or 2 through 15).

---

---

Note Per-user privilege levels override virtual terminal (VTY) privilege levels.

---

CLI and Lawful Intercept Views

Both CLI views and lawful intercept views restrict access to specified commands and configuration information. A lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that stores information about calls and users.

Users who are specified via the lawful-intercept keyword are placed in the lawful-intercept view, by default, if no other privilege level or view name has been explicitly specified.

If there is no secret specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. CHAP debugging information is available using the debug ppp negotiation, debug serial-interface, and debug serial-packet commands. For more information about debug commands, refer to the Cisco IOS Debug
Command Reference.

Examples

The following example implements a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router:

username who nopassword nohangup autocommand show users

The following example implements an information service that does not require a password to be used. The command takes the following form:

username info nopassword noescape autocommand telnet nic.ddn.mil

The following example implements an ID that works even if all the TACACS+ servers break. The command takes the following form:

username superuser password superpassword

The following example enables CHAP on interface serial 0 of "server_l." It also defines a password for a remote server named "server_r."

hostname server_l 
username server_r password theirsystem 
interface serial 0 
 encapsulation ppp 
 ppp authentication chap

When you look at your configuration file, the passwords will be encrypted, and the display will look similar to the following:

hostname server_l 
username server_r password 7 121F0A18 
interface serial 0 
 encapsulation ppp 
 ppp authentication chap

In both of the following configuration examples, a privilege level 1 user is denied access to privilege levels higher than 1:

username user privilege 0 password 0 cisco

username user 2 privilege 2 password 0 cisco

The following example removes the username-based authentication for user 2:

no username user 2

Related Commands

Command	Description
arap callback	Enables an ARA client to request a callback from an ARA client.
callback forced-wait	Forces the Cisco IOS software to wait before initiating a callback to a requesting client.
ppp callback (DDR)	Enables a dialer interface that is not a DTR interface to function either as a callback client that requests callback or as a callback server that accepts callback requests.
ppp callback (PPP client)	Enables a PPP client to dial into an asynchronous interface and request a callback.
show users	Displays information about the active lines on the router.

view

To add a normal command-line interface (CLI) view to a superview, use the view command in view configuration mode. To remove a CLI view from a superview, use the no form of this command.

view view-name

no view view-name

Syntax Description

view-name

CLI view that is to be added to the given superview.

Defaults

A superview will not contain any CLI views until this command is enabled.

Command Modes

View configuration

Command History

Release	Modification
12.3(11)T	This command was introduced.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.

Usage Guidelines

Before you can use this command to add normal views to a superview, ensure that the following steps have been taken:

•A password has been configured for the superview (via the secret 5 command).

•The normal views that are to be added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.

Examples

The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":

!

parser view su_view1 superview

 secret 5 <encoded password>

 view view_one

 view view_two

!

parser view su_view2 superview

 secret 5 <encoded password>

 view view_three

 view view_four

!

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.
secret 5	Associates a CLI view or a superview with a password.

Copyright © 2007 Cisco Systems, Inc. All rights reserved.