Version 4.1 - 5.5.c Device Administration
As mentioned previously, RADIUS is used for network access and TACACS+ is used for device administration. The reason for this is mainly because TACACS+ separates the AAA functions. This is much more useful than the accept vs reject (all or nothing) function of RADIUS. TACACS+ supports multiple privilege levels (which is also useful in device administration).
In addition to TACACS+, you will want to know and understand Role-Based CLI Access.
A CLI view is a set of operational commands and configuration capabilities that restrict user access to the CLI and configuration information; that is, a view allows users to define what commands are accepted and what configuration information is visible.
SUMMARY STEPS
1. enable view
2. configure terminal
3. parser view view-name
4. secret 5 encrypted-password
5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
6. exit
7. exit
8. enable [privilege-level] [view view-name]
9. show parser view [all]
From my experience on exams, expect one or two questions on "views" related to CLI. If you've never used this before, you might want to get on a router and play with this until you're familiar with it.
Note that you have to be in "root view" in order to configure a view. To do this use the "enable view" command.
Most of the questions I've seen related to this material center around effective permissions. You have to allow the show command in order to allow the show logging command (and have it work).
Another bunch of questions that you might see from this section might deal with authorization and accounting. Know the Authentication Commands and the Authorization Commands.
And that's about all I'm going to review for this section. I've worked with views in many labs - it's really interesting. But I have to admit that I haven't seen this on any network in production. There may be two reasons for that. The first reason is that Network Engineers don't want anyone else with access to the routers/switches/firewalls. Really - think about it - why would they give the Help Desk (or any other team) the ability to look at the switch configuration without the ability to fix it? What purpose would that serve? So for practical reasons this doesn't usually happen. The other thing is that through TACACS+ and ACS, you can permit or deny individual commands (command authorization). So why would you set a view on each individual device when you can set this at the ACS server and have it applied to multiple devices? So again, for practical purposes a view would not be used. But it may be on the written exam and could also end up on the lab - so take a few minutes to learn this.