Name: Cisco IOS XR
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Configuring AAA Services on Cisco IOS XR Software

Information About Configuring AAA Services

SC-179

Cisco IOS XR System Security Configuration Guide

Users may need to be associated to additional task IDs to use a command if the command is used in a

specific configuration submode. For example, to execute the show redundancy command, a user needs

to be associated to the system (read) task ID and operations as shown in the following example:

RP/0/RP0/CPU0:router# show redundancy

Whereas, in administration EXEC mode, a user needs to be associated to both admin and system (read)

task IDs and operations, as shown in the following example:

RP/0/RP0/CPU0:router# admin

RP/0/RP0/CPU0:router(admin)# show redundancy

Task IDs for TACACS+ and RADIUS Authenticated Users

Cisco IOS XR AAA provides the following means of assigning task permissions for users authenticated

with the TACACS+ and RADIUS methods:

• Specify the text version of the task map directly in the configuration file of the external TACACS+

and RADIUS servers.

See the “Task Maps” section for more details.

• Specify the privilege level in the configuration file of the external TACACS+ and RADIUS servers.

See the “Privilege Level Mapping” section for more details.

• Create a local user with the same username as the user authenticating with the TACACS+ and

RADIUS methods.

• Specify, by configuration, a default task group whose permissions are applied to any user

authenticating with the TACACS+ and RADIUS methods.

Task Maps

For users who are authenticated using an external TACACS+ server and RADIUS server, Cisco IOS XR

AAA supports a method to define task IDs remotely.

Format of the Task String

The task string in the configuration file of the TACACS+ server consists of tokens delimited by a comma

(,). Each token contains either a task ID name and its permissions or the user group to include for this

particular user, as shown in the following example:

task = “<permissions>:<taskid name>, #<usergroup name>, ...”

Note Cisco IOS XR allows you to specify task IDs as an attribute in the external RADIUS or TACACS+

server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional

as indicated by the server documentation. For example, CiscoSecure ACS and the freeware TACACS+

server from Cisco require an asterisk (*) instead of an equal sign (=) before the attribute value for

optional attributes. If you want to configure attributes as optional, refer to the TACACS+ server

documentation.

Questions and Answers:

Need help?

Do you have a question about the Cisco IOS XR and is the answer not in the manual?

Cisco IOS XR Specifications

General

Operating System	Cisco IOS XR
Architecture	Microkernel
High Availability	Yes
Type	Network operating system
Developed by	Cisco Systems
License	Proprietary
Programming Language	C, C++
Kernel	QNX
Supported Platforms	Cisco ASR9000, NCS series
Security Features	Role-Based Access Control (RBAC), Secure Boot, Encryption
Management Interface	CLI, SNMP, NETCONF, RESTCONF
Release Date	2004
Target Devices	High-end core routers, service provider edge routers, data center interconnect (DCI) routers
Supported Hardware	Cisco routers and switches
Networking Protocols	BGP, OSPF, IS-IS, MPLS
Virtualization Support	Virtualization-ready, supports network function virtualization (NFV) and containerization technologies.