Configuring AAA Services on Cisco IOS XR Software
Information About Configuring AAA Services
SC-7
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Administrative Access
Administrative access to the system can be lost if the following operations are not well understood and
carefully planned. A lockout of all root-system users is a serious issue that requires a system reload to
recover the password.
• Configuring authentication that uses remote AAA servers that are not available, particularly
authentication for the console.
Note The none option without any other method list is not supported in Cisco IOS XR software.
• Removing the flash card from disk0:, or a disk corruption, may deny auxiliary port authentication,
which can affect certain system debugging abilities. However, if the console is available, the system
is still accessible.
• Configuring command authorization or EXEC authorization on the console should be done with
extreme care, because TACACS+ servers may not be available or may deny every command, which
locks the user out. This lockout can occur particularly if the authentication was done with a user not
known to the TACACS+ server, or if the TACACS+ user has most or all the commands denied for
one reason or another.
To avoid a lockout, we recommend one or both of the following:
• Before turning on TACACS+ command authorization or EXEC authorization on the console, make
sure that the user who is configuring the authorization is logged in using the appropriate user
permissions in the TACACS+ profile.
• If the security policy of the site permits it, use the none option for command authorization or EXEC
authorization so that if the TACACS+ servers are not reachable, AAA rolls over to the none method,
which permits the user to run the command.
AAA Database
The AAA database stores the users, groups, and task information that controls access to the system. The
AAA database can be either local or remote. The database that is used for a specific situation depends
on the AAA configuration.
Local Database
AAA data, such as users, user groups, and task groups, can be stored locally within a secure domain
router. The data is stored in the in-memory database and persists in the configuration file. The stored
passwords are encrypted.
Note The database is local to the specific secure domain router (SDR) in which it is stored, and the defined
users or groups are not visible to other SDRs in the same system.
You can delete the last remaining user from the local database. If all users are deleted when the next user
logs in, the setup dialog appears and prompts you for a new username and password.
Note The setup dialog appears only when the user logs into the console.
To Next Page
Loading...
Need help?
General
