Configuring AAA Services on Cisco IOS XR Software
Information About Configuring AAA Services
SC-179
Cisco IOS XR System Security Configuration Guide
Users may need to be associated to additional task IDs to use a command if the command is used in a
specific configuration submode. For example, to execute the show redundancy command, a user needs
to be associated to the system (read) task ID and operations as shown in the following example:
RP/0/RP0/CPU0:router# show redundancy
Whereas, in administration EXEC mode, a user needs to be associated to both admin and system (read)
task IDs and operations, as shown in the following example:
RP/0/RP0/CPU0:router# admin
RP/0/RP0/CPU0:router(admin)# show redundancy
Task IDs for TACACS+ and RADIUS Authenticated Users
Cisco IOS XR AAA provides the following means of assigning task permissions for users authenticated
with the TACACS+ and RADIUS methods:
• Specify the text version of the task map directly in the configuration file of the external TACACS+
and RADIUS servers.
See the “Task Maps” section for more details.
• Specify the privilege level in the configuration file of the external TACACS+ and RADIUS servers.
See the “Privilege Level Mapping” section for more details.
• Create a local user with the same username as the user authenticating with the TACACS+ and
RADIUS methods.
• Specify, by configuration, a default task group whose permissions are applied to any user
authenticating with the TACACS+ and RADIUS methods.
Task Maps
For users who are authenticated using an external TACACS+ server and RADIUS server, Cisco IOS XR
AAA supports a method to define task IDs remotely.
Format of the Task String
The task string in the configuration file of the TACACS+ server consists of tokens delimited by a comma
(,). Each token contains either a task ID name and its permissions or the user group to include for this
particular user, as shown in the following example:
task = “
<permi
ssions>:<
taskid n
ame>,
#<usergroup
name>
, ...”
Note Cisco IOS XR allows you to specify task IDs as an attribute in the external RADIUS or TACACS+
server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional
as indicated by the server documentation. For example, CiscoSecure ACS and the freeware TACACS+
server from Cisco require an asterisk (*) instead of an equal sign (=) before the attribute value for
optional attributes. If you want to configure attributes as optional, refer to the TACACS+ server
documentation.
To Next Page
Loading...
