Configuring AAA Services on Cisco IOS XR Software
Information About Configuring AAA Services
SC-15
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
For example, to give a user named user1 BGP read, write, and execute permissions and include user1 in
a user group named operator, the username entry in the external server’s TACACS+ configuration file
would look similar to the following:
user = user1{
member = some-tac-server-group
opap = cleartext "lab"
service = exec {
task = "rwx:bgp,#operator"
}
}
The r,w,x, and d correspond to read, write, execute and debug, respectively, and the pound sign (#)
indicates that a user group follows.
Note The optional keyword must be added in front of “task” to enable interoperability with systems based on
Cisco IOS software.
If CiscoSecure ACS is used, perform the following procedure to specify the task ID and user groups:
Step 1 Enter your username and password.
Step 2 Click the Group Setup button to display the Group Setup window.
Step 3 From the Group drop-down list, select the group that you want to update.
Step 4 Click the Edit Settings button.
Step 5 Use the scroll arrow to locate the Shell (exec) check box.
Step 6 Check the Shell (exec) check box to enable the custom attributes configuration.
Step 7 Check the Custom attributes check box.
Step 8 Enter the following task string without any blank spaces or quotation marks in the field:
task=rwx:bgp,#netadmin
Step 9 Click the Submit + Restart button to restart the server.
The following RADIUS Vendor-Specific Attribute (VSA) example shows that the user is part of the
sysadmin predefined task group, can configure BGP, and can view the configuration for OSPF:
user Auth-Type := Local, User-Password == lab
Service-Type = NAS-Prompt-User,
Reply-Message = "Hello, %u",
Login-Service = Telnet,
Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"
After user1 successfully connects and logs in to the external TACACS+ server with username user1 and
appropriate password, the show user tasks command can be used in EXEC mode to display all the tasks
user1 can perform. For example:
Username:user1
Password:
RP/0/RP0/CPU0:router# show user tasks
Task: basic-services :READ WRITE EXECUTEDEBUG
Task: bgp :READ WRITE EXECUTE
Task: cdp :READ
Task: diag :READ
To Next Page
Loading...
Need help?
General
