Configuring AAA Services on Cisco IOS XR Software
Information About Configuring AAA Services
SC-170
Cisco IOS XR System Security Configuration Guide
User, User Groups, and Task Groups
Cisco IOS XR software user attributes form the basis of the Cisco IOS XR software administrative
model. Each router user is associated with the following attributes:
• User ID (ASCII string) that identifies the user uniquely across an administrative domain
• Length limitation of 253 characters for passwords and one-way encrypted secrets
• List of user groups (at least one) of which the user is a member (thereby enabling attributes such as
task IDs) (see the “Task IDs” section)
User Categories
Router users are classified into the following categories:
• Root system user (complete administrative authority)
• Root SDR user (specific secure domain router administrative authority)
• Secure domain router user (specific secure domain router user access)
Root System Users
The root system user is the entity authorized to “own” the entire router chassis. The root system user
functions with the highest privileges over all router components and can monitor all secure domain
routers in the system. At least one root system user account must be created during router setup. Multiple
root system users can exist.
The root system user can perform any configuration or monitoring task, including the following:
• Configure secure domain routers.
• Create, delete, and modify root SDR users (after logging in to the secure domain router as the root
system user). (See the “Root SDR Users” section.)
• Create, delete, and modify secure domain router users and set user task permissions (after logging
in to the secure domain router as the root system user). (See the “Secure Domain Router Users”
section.)
• Access fabric racks or any router resource not allocated to a secure domain router, allowing the root
system user to authenticate to any router node regardless of the secure domain router configurations.
Root SDR Users
A root SDR user controls the configuration and monitoring of a particular SDR. The root SDR user can
create users and configure their privileges within the SDR. Multiple root SDR users can work
independently. A single SDR may have more than one root SDR user.
A root SDR user can perform the following administrative tasks for a particular SDR:
• Create, delete, and modify secure domain router users and their privileges for the SDR. (See the
“Secure Domain Router Users” section.)
• Create, delete, and modify user groups to allow access to the SDR.
• Manage nearly all aspects of the SDR.
A root SDR user cannot deny access to a root system user. (See the “Root System Users” section.)
To Next Page
Loading...
Need help?
General
