Configuring AAA Services on Cisco IOS XR Software
Information About Configuring AAA Services
SC-6
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Task Groups
A task group is defined by a collection of task IDs. Task groups contain task ID lists for each class of
action.
Each user group is associated with a set of task groups applicable to the users in that group. A user’s task
permissions are derived from the task groups associated with the user groups to which that user belongs.
Predefined Task Groups
The following predefined task groups are available for administrators to use, typically for initial
configuration:
• cisco-support: Cisco support personnel tasks
• netadmin: Network administrator tasks
• operator: Operator day-to-day tasks (for demonstration purposes)
• root-lr: Secure domain router administrator tasks
• root-system: System-wide administrator tasks
• sysadmin: System administrator tasks
• serviceadmin: Service administration tasks, for example, SBC
User-Defined Task Groups
Users can configure their own task groups to meet particular needs.
Group Inheritance
Task groups support inheritance from other task groups. (Similarly, a user group can derive attributes
from another user group. See the
“User Groups” section.) For example, when task group A inherits task
group B, the new set of attributes of task group A is the union of A and B.
Cisco IOS XR Software Administrative Model
The router operates in two planes: the administration (admin) plane and secure domain router (SDR)
plane. The admin (shared) plane consists of resources shared across all SDRs, while the SDR plane
consists of those resources specific to the particular SDR.
The root-system user has the highest level of responsibility for the router. This user provisions secure
domain routers and creates root SDR users. After being created, root SDR users take most of the
responsibilities from the root-system user for the SDR. Root SDR users in turn can create secure domain
router users. Root-system users and root SDR users have fixed permissions (task IDs) that cannot be
changed by users.
Each SDR has its own AAA configuration including, local users, groups, and TACACS+ and RADIUS
configurations. Users created in one SDR cannot access other SDRs unless those same users are
configured in the other SDRs.
To Next Page
Loading...
Need help?
General
