Configuring AAA Services on Cisco IOS XR Software
Information About Configuring AAA Services
SC-175
Cisco IOS XR System Security Configuration Guide
Rollover Mechanism
AAA can be configured to use a prioritized list of database options. If the system is unable to use a
database, it automatically rolls over to the next database on the list. If the authentication, authorization,
or accounting request is rejected by any database, the rollover does not occur and the request is rejected.
The following methods are available:
• Local: Use the locally configured database (not applicable for accounting and certain types of
authorization)
• TACACS+: Use a TACACS+ server (such as CiscoSecure ACS)
• RADIUS: Use a RADIUS server
• Line: Use a line password and user group (applicable only for authentication)
• None: Allow the request (not applicable for authentication)
Server Grouping
Instead of maintaining a single global list of servers, the user can form server groups for different AAA
protocols (such as RADIUS, TACACS+, and so on) and associate them with AAA applications (PPP,
EXEC, and so on).
Authentication
Authentication is the most important security process by which a principal (a user or an application)
obtains access to the system. The principal is identified by a username (or user ID) that is unique across
an administrative domain. The applications serving the user (such as EXEC or Management Agent)
procure the username and the credentials from the user. AAA performs the authentication based on the
username and credentials passed to it by the applications. The role of an authenticated user is determined
by the group (or groups) to which the user belongs. (A user can be a member of one or more user groups.)
Authentication of Root System User
The root-system user can log in to any node in any secure domain router in the system. A user is a
root-system user if he or she belongs to the root-system group. The root-system user may be defined in
the local or remote AAA database.
Authentication of Nonowner Secure Domain Router User
When logging in from a nonowner secure domain router, the root system user must add the “@admin”
suffix to the username. Using the “@admin” suffix sends the authentication request to the owner secure
domain router for verification. The owner secure domain router uses the methods in the list-name remote
for choosing the authentication method. The remote method list is configured using the aaa
authentication login remote method1 method2... command. (See the “Configuring AAA Method Lists”
section.)
Authentication of Owner Secure Domain Router User
An owner secure domain router user can log in only to the nodes belonging to the specific secure domain
router associated with that owner secure domain router user. If the user is member of a root-sdr group,
the user is authenticated as an owner secure domain router user.
To Next Page
Loading...
Need help?
General
