Name: Cisco IOS XR
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Configuring AAA Services on Cisco IOS XR Software

Information About Configuring AAA Services

SC-180

Cisco IOS XR System Security Configuration Guide

For example, to give a user named user1 BGP read, write, and execute permissions and include user1 in

a user group named operator, the username entry in the external server’s TACACS+ configuration file

would look similar to the following:

user = user1{

member = some-tac-server-group

opap = cleartext "lab"

service = exec {

task = "rwx:bgp,#operator"

}

The r,w,x, and d correspond to read, write, execute and debug, respectively, and the pound sign (#)

indicates that a user group follows.

Note The optional keyword must be added in front of “task” to enable interoperability with systems based on

Cisco IOS software.

If CiscoSecure ACS is used, perform the following procedure to specify the task ID and user groups:

Step 1 Enter your username and password.

Step 2 Click the Group Setup button to display the Group Setup window.

Step 3 Select the group that you want to update from the Group drop-down list.

Step 4 Click the Edit Settings button to display the Group Settings window.

Step 5 Use the scroll arrow to locate the Shell (exec) check box.

Step 6 Check the Shell (exec) check box to enable the custom attributes configuration.

Step 7 Check the Custom attributes check box.

Step 8 Enter the following task string without any blank spaces or quotation marks in the field:

task=rwx:bgp,#netadmin

Step 9 Click the Submit + Restart button to restart the server.

The following RADIUS Vendor-Specific Attribute (VSA) example shows that the user is part of the

sysadmin predefined task group, can configure BGP, and can view the configuration for OSPF:

user Auth-Type := Local, User-Password == lab

Service-Type = NAS-Prompt-User,

Reply-Message = "Hello, %u",

Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"

After user1 successfully connects and logs in to the external TACACS+ server with username user1 and

appropriate password, the show user tasks command can be used in EXEC mode to display all the tasks

user1 can perform. For example:

Username:user1

Password:

RP/0/RP0/CPU0:router# show user tasks

Task: basic-services :READ WRITE EXECUTEDEBUG

Task: bgp :READ WRITE EXECUTE

Task: cdp :READ

Task: diag :READ

Questions and Answers:

Need help?

Do you have a question about the Cisco IOS XR and is the answer not in the manual?

Cisco IOS XR Specifications

General

Operating System	Cisco IOS XR
Architecture	Microkernel
High Availability	Yes
Type	Network operating system
Developed by	Cisco Systems
License	Proprietary
Programming Language	C, C++
Kernel	QNX
Supported Platforms	Cisco ASR9000, NCS series
Security Features	Role-Based Access Control (RBAC), Secure Boot, Encryption
Management Interface	CLI, SNMP, NETCONF, RESTCONF
Release Date	2004
Target Devices	High-end core routers, service provider edge routers, data center interconnect (DCI) routers
Supported Hardware	Cisco routers and switches
Networking Protocols	BGP, OSPF, IS-IS, MPLS
Virtualization Support	Virtualization-ready, supports network function virtualization (NFV) and containerization technologies.