Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASR9000/XR Using Task groups and understanding Priv levels and authorization

Introduction

IOS-XR has a very strong embedded mechanism to do user authentication and authorization. While XR does not have the concept of privilege-levels as what IOS had, the embedded user task group management is extremely strong allow for the creation of different task groups.

Tasks

Building blocks for on-box authorization scheme
4 types of permissions per task

  • Read
  • Write
  • Execute
  • Debug

Tasks

aaa

config-services

hsrp

netflow

sbc

acl

crypto

interface

network

snmp

admin

diag

inventory

ospf

sonet-sdh

atm

disallowed

ip-services

ouni

static

basic-services

drivers

ipv4

pkg-mgmt

sysmgr

bcdl

eigrp

ipv6

pos-dpt

system

bfd

ext-access

isis

ppp

transport

bgp

fabric

logging

qos

tty-access

boot

fault-mgr

lpts

rib

tunnel

bundle

filesystem

monitor

rip

universal

cdp

firewall

mpls-ldp

root-lr

vlan

cef

fr

mpls-static

root-system

vrrp

cisco-support

hdlc

mpls-te

route-map

config-mgmt

host-services

multicast

route-policy

Default task-groups

The following task-groups are predefined in IOS-XR

root-system: Root system users

root-lr: Root logical router users

netadmin: Network administrators

sysadmin: System administrators

operator: Operators performing day-to-day activities

cisco-support: highest level of privilege allowing lowest level access

What task group is needed for what command?

If you are unsure as to what task group and permission level you need in order to allow a certain command, use the "describe" keyword.

Example:

RP/0/RSP0/CPU0:A9K-TOP#describe show bgp summary

.....
User needs ALL of the following taskids:

       bgp (READ)

So in order to allow a user to do the command "show bgp summary", we would need to allow the following line in

the task group definition:

task read bgp

It can also be the case that a particular user needs to be member of a particular (pre defined) task group.

such as a Process restart, you can only do when you are member of cisco-support:

RP/0/RSP0/CPU0:A9K-TOP# describe process restart bgp

.........

User needs ALL of the following taskids:

        cisco-support (EXECUTE)

Tasks and user group example

In regular IOS-XR configuration define your task-group with the permissions and tasks you like

RP/0/RSP0/CPU0:A9K-TOP(config)#taskgroup basic-admin
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task debug bgp

You can also define a user group that imports several task groups:

usergroup noc-staff
taskgroup operator
taskgroup basic-admin
inherit usergroup all-users

Privilege levels

As mentioned, XR doesn't have priv levels, but in order to leverage the existing AAA profiles from TACACS used for IOS based routes, we can create user-groups that are named as the privilege levels:

usergroup priv15

taskgroup root-system

taskgroup cisco-support

Now with tacacs we can send the priv via the options in service-exec:


service = exec { priv-lvl = 15 }

or via a radius AVP like:

cisco-avpair = "shell:priv-lvl=15"

NOTE: the syntax of "cisco-avpair" and the capitalization is dependent on the dictionary definition for the cisco avp.

Using AAA

For starters you need to point your user authentication to the external source for authentication:

aaa authorization exec default group tacacs+ local
aaa authentication login default group tacacs+ local

when you add the following to your tacacs profile :

TACACS:

service = exec {
task = "rwx:bgp,#operator"
}

RADIUS:

Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"

you'll inherit the read, write and execute permissions to BGP as well as the user will be part of the local operator group definition.

Either this group is part of the standard cisco embedded groups or it can be something that you have defined locally.

the radius profile allows read/write/execute on BGP, read for OSPF and membership to the sysadmin group

By using AAA you can either reference locally defined task groups OR you can define the task groups in the tacacs/radius response packet

or using a combination of both

Group Membership

To find out which groups you are currently member of while being logged in:

RP/0/RSP0/CPU0:A9K-TOP#show user tasks
Wed Mar 30 18:26:00.768 UTC
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE    DEBUG
Task:                admin  : READ    WRITE    EXECUTE    DEBUG

Command Authorization

In IOS we can do command authorization for each separate priv level. in XR we don't have priv levels hence either command author is enabled for ALL commands or none at all:

RP/0/RSP0/CPU0:A9K-TOP(config)#aaa authorization commands default group ?
  WORD     server-group name
  tacacs+  Use list of all TACACS+ hosts

Note: in order to do command author you must use TACACS, you cannot use radius.


Related Information

n/a

Xander Thuijs - CCIE #6775

Sr Tech Lead ASR9000

Comments

Great Info!

Does one have to user an external authentication source (tacacs) to do this?

I am trying to setup a local user with read-only rights to access the running-config.

/Andreas

Cisco Employee

Hi Andreas, thanks!

You can go either way about it:

You can define your task groups (that is task + permissions) in XR config and reference that group either in the

local configuration for the username, or when you use tacacs authentication, you can point with your tacacs reply attributes that this user should inherit the permissions from this locally defined task group.

Or instead of defining the task groups locally, you can also construct them in tacacs as per examples above.

A local ONLY configuration without any tacacs would come down to :

*define the task group with permissions*

RP/0/RSP0/CPU0:A9K-TOP(config)#taskgroup TEST

RP/0/RSP0/CPU0:A9K-TOP(config-tg)#task read <define all tasks that you want to see the running config of>

*define the usergroup, which is a set of task groups*

RP/0/RSP0/CPU0:A9K-TOP(config)#usergroup UGR taskgroup TEST

*define the local user that takes the user group*

RP/0/RSP0/CPU0:A9K-TOP(config-ug)#username andreas

RP/0/RSP0/CPU0:A9K-TOP(config-un)#group UGR

RP/0/RSP0/CPU0:A9K-TOP(config-un)#password test

cheers

xander

New Member

Hi Xander,

                    As you know , in ASR there are diffrent SDR's. We can partition the XR OS into different SDR's.I would like to know  how it will be ? Along with that there is a predefined user group called "root-lr". If we create a new user and add to "root-lr", how the router ditect the user belongs to which SDR ? and how the router differentiate the user from one SDR ro another ??  Iam expecting your valid response.

Cisco Employee

Whatever you put in the admin config is shared between all SDR's. Whatever is in the exec config is local to that particular router. If you use TACACS, then the SDR's present themselves as different devices hence different policies can apply.

If you do local authentication then the user database in admin config is shared between the SDR's.

Note by the way that ASR9000 does not support SDR's and this above is specific to CRS.

thanks

xander

New Member

Hi Xander,

                  Please clarify my doubt. In the configration guide of ASR, they have described ASR support SDR's. I have taken the below lines from config guide for your reference.

"The router operates in two planes: the administration (admin) plane and secure domain router (SDR) plane.

Each SDR has its own AAA configuration including, local users, groups, and TACACS+ and RADIUS

configurations. Users created in one SDR cannot access other SDRs unless those same users are configured

in the other SDRs." 

             If ASR doen't support SDR's , what they are specifying? Beacuse of that I got doubt how they will create a user for a particular SDR ?

Cisco Employee

SDR is secure domain router. In CRS you can divide a single physical chassis into separate routing entities that share the fabric, but have individual control planes.

ADMIN config applies to all SDR's within that single system.

In ASR9K, yeah sure you have an SDR, but it spans the entire chassis and you can't create multiple SDR's within the ASR9K, that is a CRS specific functionality.

So for ASR9K, your local users are defined in the admin config. Your task groups are defined in the exec config.

In the exec config are also the directives as to how to authenticate (local, radius, tacacs).

In TACACS you can define your permissions on a per user basis also.

TACACS is required for individual command authorization in case you do not want to use task based permissions.

RADIUS can be used for user authentication and task group assignment.

xander

New Member

Hi Xander,

                Yeah I got it what you are saying. But this sentece is quite confusing("Users created in one SDR cannot access other SDRs unless those same users are configured in the other SDRs."). If we can't create multiple SDR's within ASR 9k, why they are mentioning so ?

I know we can use " aaa accounting commands default start-stop group tacacs+" for acounting of each commands executed by the user. Instead of tacacs+ Can't we apply radius for the same purpose ?



Cisco Employee

Some documentation was "copied" from the CRS which in this case might have mislead you.

You should read this as is, but with the notion that 9k only has 1 SDR max, that's it, so in that regard the statement doesn't really apply to the 9k.

radius cant do command authorization because radius by nature doesn't have a separate author phase like tacacs employs.

So radius can be used for authentication (and assign the taskgroup/permissions to the user in the access-accept) and do session accounting. TACACS can do that also, but with the added capability of doing command author and accounting.

New Member

Hi Xander,

                 Ohh that's great information from you. Along with that they have specified the predefined usergroup in the router.

• root-lr: Has the ability to control and monitor the specific secure domain router.

• root-system: Has the ability to control and monitor the entire system.

           If there is only a single SDR, what is the difference between these two groups. Isn't "root-lr" available in ASR9k?


Cisco Employee

note that these "pre defined task groups" are say sort of the intend of use.

it depends on the specific command on what minimum permissions are required.

you can use the command "describe <the command of interest>" to see what the taskgroup the system would minimally require for this.

But to your point, theoretically if only one SDR these 2 groups are rather overlapping.

xander

New Member

Hi Xander,

                  Thanks for your quick response.  I am agreeing to your information. But in the configuration of SNMP community string also they are providing SDR owner and system owner.

                                                        Will both options provide the same result ?

Cisco Employee

documented quite nicely:

SDROwner (Optional) Limits access to the owner service domain router (SDR).

SystemOwner (Optional) Provides system-wide access including access to all non-owner SDRs.

SDRowner will give your commstr access to all snmp OID's that are specific to this SDR only

the Sysowner gives you access to OID's outside the scope of the SDR for instance power management and entity mib like variables such as temperatures.

I have that btw documented on a technote that you can find on the support forums (snmp access for voltage and temp management). You should be able to find it as a document under my profile.

xander

Hi Alex.

Useful doc indeed.

I could not figure out though where exactly to add the following lines in the TACACS+ server:

service = exec {
task = "rwx:bgp,#operator"
}

I expect those are added under the group (or user) config in the TACACS+ field. I can find only the field "Custom Attributes" can accept multi lines. When I add the lines though it complains that they do not seem to be correct.
Am I doing something wrong?

Cisco Employee

Thanks Amjad! Hmm as for the location of that section, this snippet is from the freeware tacacs server with the flat text config file.

If you have an ACS server or something then this should be put into the "exec" portion of the user or group profile.

Maybe this reference gives some of the procedures you need:

https://supportforums.cisco.com/thread/2098482

regards

xander

New Member

Ok that's great but how do I find out which command maps to which task? Is there a reference or a command I can check?

I am trying to find out what enables the command "show running-config".

Regards

Mike

Cisco Employee

To find out which command belongs to what task permissions you can use the "describe" keyword (see example above).

If you want to know what say the standard task-group root-system provides, you can create an account with that permission level and do a "show user tasks", it will spit out all the permissions currently assigned to this user.

As for the show run, that is a tricky one. Basically show run will only display those config sections for which you have the right permission level. For instance if "bfd" is not part of your task group permissions, and you do a show run, then you will see the running, but none of the bfd commands that fall under that permission level will be printed.

regards

xander

New Member

Hi Xander,

How can I map existing IOS priviledge levels (e.g. level 2) to IOS-XR task groups? This is an issue when migrating an IOS platform to IOS-XR...

Regards,

Florian

New Member

Hi Xander,

I found out how to configure privX user groups to map the priviledge levels to IOS-XR task groups. Nevertheless, I was not able to find a task list matrix that corresponds to IOS priviledge levels.

Regards,

Florian

Cisco Employee

yeah the document above has an example how to create task groups that convert into priv levels from a naming convention that allows you to use the same priv level attributes from your IOS devices in your tacacs profiles.

In IOS priv 0 and 15 are the key ones and basically the levels 1-14 can be used to move the commands from their existing priv level to a new one.

With that, priv0 is merely an operator/monitor level and 15 is full access, which is the equivalent of a task group priv0 which only has read access to every command (so shows). Priv15 is the equivalent to cisco-support/root-system.

And mind you that cisco-support in 43 is merged now (see asr9k blog for more detail on that merge).

regards

xander

New Member

Thank you for the details on this, so I assume I need to map every IOS command to its IOS-XR task counter part manually as there is no matrix somewhere laying around at Cisco?

Cisco Employee

The built in usergroup "operator" may already give you a good start of priv level 0.

The priv 15 equivalent is the cisco-support/root-system.

xander

New Member

hi is there a simple way to grant read access to everyhting so in stead of

service = exec {
task = "r:bgp,r:aaa,r:interface,r:ipv4 etc etc etc etc"
}

i would like to do

service = exec {
task = "r:*"
}

Cisco Employee

I see two options for you:

1) define a usergroup in XR that takes those permissions and send that task group down via tacacs so you dont have to split it out int he tacacs profile just a copy paste of the config in XR.

2) use the system defined group of operator which I think is a read only only.

xander

New Member

xander,

I tried to second option

taskgroup priv5

inherit taskgroup operator

and I log in with a user who gets priv5 from the tacacs server I am even not able to do a show int brie.

I would like to keep the configuration as simple as possible and in a central place. It appears this is not possible so I think I'll go with updating the tacacs-server with all the required read permissions.

Cisco Employee

yup you can and we're close.

with operator I just see, you have the following permissions:

Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG

Task:                  cdp  : READ

Task:                 diag  : READ

Task:           ext-access  : READ             EXECUTE

Task:              logging  : READ

so what you need to do is add the permissions for the task of something like this:

taskgroup test

task read interface

and then under the priv5, inherit in this case the "test" group for example.

keep adding all the read permissions you need under test, which is inherited by priv5 and you're all set.

regards

xander

New Member

Xander I understand the taskgroup concept however I would have liked to have a predefined task-group which has read access to everything. The concept is clear thanks again for your help.

Cisco Employee

ah ok sorry. I see your request.

ok for now, the only option we have is what we discussed. meantime I will also file a ddts to create a system defined taskgroup "readonly" or whatever that basically gets every task with readonly by default. that might simplify the config then we were discussing on the previous note.

regards

xander

New Member

Hi Xander,

Thank you for the document, I have a problem allowing the following command to be executed for a specific user: "show policy-map interface xxx" , when I do "describe show policy-map interface xx" it tells me that qos (Read) is the only task ID I need, adding that into the taskgroup doesn't change anything, I still can't type "show policy-map" when i log in with that user account, is there something I am missing here, our ASR 9K is running version 5.1.0 .

thanks and regards,

Sarmed

Cisco Employee

Hi Sarmed, yeah that is a known problem...

This is fixed in 513 and 520, the ddts that described this problem is:

CSCuj44719    4.3.x "show policy-map" requires cisco-support (READ) taskid

xander

Cisco Employee

 

 

aaa authentication login mgmt local
aaa authorization commands 1 mgmt local
aaa authorization exec mgmt local
ip ssh port 2000 rotary 1
username mgmt view mgmt password 7 1511021F0725
parser view mgmt
secret 5 $1$GSuD$6sZiw9tIUMLSN2GckpN8eO
commands exec include all show

I am trying to convert this IOS-XE config into IOS XR but rotary command is not supported in XR.
is there any way to achieve the same goal ?

one user will be locally authenticated and others will get authenticated by TACACS.

line vty 5
session-timeout 30
access-class TELNET in
password 7 0822455D0A16
authorization commands 1 mgmt
authorization exec mgmt
login authentication mgmt
rotary 1
transport input telnet ssh
transport output telnet ssh
Cisco Employee

yeah xr doesnt have that concept of rotary groups.

you could as alternative outsource auth to tacacs and local as second method.

if tacacs is unavailable, local will kick in and the local user can be used in taht case.

xander

Cisco Employee

we are looking to make both TACACS and local work at the same time.

 

will it work if i change the authentication order local first and then TACACS ?

New Member

Xander, 

I was curious if you might recall if any action became of this request.

That is, enabling a taskgroup with readonly access to all by default.

thanks,

Cisco Employee

Hey Gary, yes we have that now too!!

CSCuj97480    need standard task group with only read permissions for all tasks

I noticed that it didn't have the usability attribute hence was not seen on any of the XR usability updates. But hopefully this response suffices :)

 

cheers!

xander

New Member

ok - the BugID mentions it's in 5.3.3 /6.0 which aren't out yet, correct?

 

Cisco Employee

Oh sorry I forgot to mention that yeah, it is in 533 onwards, and 533 is Jan of 2016.

the eigrp passive default is there also! :)

xander

New Member

ok.

re: eigrp default passive, excellent - thanks!

New Member

Hi Xander,

I have configured tacacs+ aaa on a ASR9010 IOS XR 5.1 and using an external aaa ACS 5.7. Could you show an example of the custom attributes you would configure on ACS 5.7 in.

Policy Elements Authorization and Permissions  >  Device Administration >  Shell Profiles

When i try to login using username from external server, i get asked to enter username again. Local usernames work however i get the response:

Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.

Am thinking its the configuration on ACS thats not correct thus no request with proper permissions being supplied to IOS-XR device?

Thanks and cheers,

Gima

Cisco Employee

hi gima,

could you share with me the full aaa configuration?

also show me what you have for the local username configuration and what you have provisioned in the ACS server for a user currently.

I am suspecting that either the aaa authorization piece is not configured correctly that points to the tacacs server to get author data, OR that the author data received from ACS is not providing the right permission level for this user. e.g. you'd need to send a taskgroup to the user to provide the permission level this user currently has. (example above on how to send the taskgroup:

shell:tasks=#sysadmin

the #<name> provides the taskgroup for the user.

regards!

xander

New Member

hi Xander,

When i enter a username and password that resides in the ACS, i don't get a '% Authentication failed' rather i get asked again. I hope i don't need a reload.

The asr9k config is below:

RP/0/RSP0/CPU0:ASR9010(config)#do ping vrf mgmt 192.168.100.1
Thu Jan 21 04:46:31.623 PGT
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

RP/0/RSP0/CPU0:ASR9010(config)#tacacs-server host 192.168.100.1
RP/0/RSP0/CPU0:ASR9010(config-tacacs-host)#tacacs-server host 192.168.100.1 timeout 30
RP/0/RSP0/CPU0:ASR9010(config)#tacacs-server host 192.168.100.1 key 7 ******
RP/0/RSP0/CPU0:ASR9010(config)#tacacs-server host 192.168.100.1 single-connection
RP/0/RSP0/CPU0:ASR9010(config)#tacacs source-interface Bundle-Ether100.100 vrf mgmt
RP/0/RSP0/CPU0:ASR9010(config)#commit comment tacacs
Thu Jan 21 04:48:02.114 PGT

RP/0/RSP0/CPU0:ASR9010(config)#do show tacacs
Thu Jan 21 04:54:48.889 PGT
Server: 192.168.100.1/49 opens=0 closes=0 aborts=0 errors=0
        packets in=0 packets out=0
        status=up single-connect=true

RP/0/RSP0/CPU0:ASR9010(admin)#show run | be username
Thu Jan 21 05:05:05.139 PGT
Building configuration...
username rootuser
 group root-system
 group cisco-support
 secret 5 $1$v86Z$ncTSCrYrb0EeIDYogUeOo0

username gknaime
 group root-system
 group cisco-support
 secret 5 $1$5AtJ$ed6VUcp5visT8p1URuIW./

RP/0/RSP0/CPU0:ASR9010(config)#aaa group server tacacs+ ACSGRP
RP/0/RSP0/CPU0:ASR9010(config-sg-tacacs)#server 192.168.100.1
RP/0/RSP0/CPU0:ASR9010(config-sg-tacacs)#commit
Thu Jan 21 05:08:07.123 PGT

RP/0/RSP0/CPU0:ASR9010(config)#aaa authentication login vty-authen group ACSGRP local
RP/0/RSP0/CPU0:ASR9010(config)#aaa authorization  commands vty-author group tacacs+ ACSGRP
RP/0/RSP0/CPU0:ASR9010(config)#aaa accounting commands line-acct start-stop group ACSG$
RP/0/RSP0/CPU0:ASR9010(config)#commit
Thu Jan 21 05:23:24.739 PGT

RP/0/RSP0/CPU0:ASR9010(config)#aaa default-taskgroup root-system
RP/0/RSP0/CPU0:ASR9010(config)#commit
Thu Jan 21 05:25:12.827 PG

RP/0/RSP0/CPU0:ASR9010(config)#line console
RP/0/RSP0/CPU0:ASR9010(config-line)#login authentication vty-authen
RP/0/RSP0/CPU0:ASR9010(config-line)#authorization commands vty-author
RP/0/RSP0/CPU0:ASR9010(config-line)#accounting commands line-acct
RP/0/RSP0/CPU0:ASR9010(config-line)#commit
Thu Jan 21 05:58:54.268 PGT

RP/0/RSP0/CPU0:ASR9010(config)#line default
RP/0/RSP0/CPU0:ASR9010(config-line)#login authentication vty-authen
RP/0/RSP0/CPU0:ASR9010(config-line)#authorization commands vty-author
RP/0/RSP0/CPU0:ASR9010(config-line)#accounting commands line-acct
RP/0/RSP0/CPU0:ASR9010(config-line)#commit
Thu Jan 21 06:05:25.011 PGT

ON THE ACS 5.7 Shell Profile Custom Attributes see attachments

much appreciated.

gima

 

Cisco Employee

if you get the username/password prompt again, that means that the system can connect to the tacacs server, but it doesnt like the username/password for this service request.

I see 2 things that need to be adjusted:

- aaa authorization exec needs to be added to your config and template.

- the aaa profile for the user needs to add a service=shell attribute.

you can omit the custom attribute, since you are setting a priv level and use the trick from above to convert the priv level to a usergroup.

generally it is a good idea to have a fallback to local just in case the tacacs server is not avaialble. and console access generally is not protected by Tacacs, since if a person is capable of getting physically to the console, I think worse things can happen besides logging in.

cheers

xander

New Member
thanks xander much appreciated.
New Member

We just got an ACS server and I have it connected to one of our XR boxes.  I am passing taskIDs from ACS to the router.  The correct permissions are applied but all users can enter configuration mode.  They cant really do anything but they can still enter that mode.  It has me a bit concerned.  Is there a way to limit this and still use task IDs?

 

r:bgp,rx:basic-services,r:cef,r:rib,r:ipv4,r:ipv6,r:logging,r:monitor,r:network,r:interface

Cisco Employee

hi feene, entering the config mode is not protected by a task group ID, but any configuration command will require the "w" permission of the task in question.

so while one can enter the command, there is nothing that they can change unless there is w permissions in any of the tasks set for.

if you want to restrict this further, eventhough you dont really have to, you could possibly add command authorization to it to eliminate the configure keyword from that user's permission.

cheers

xander

New Member

Hi Xander,

Great article, which has served us well under XR4.3.4 - thank you.

We have authentication happening on ACS, with users and task-groups being passed back.

However following upgrade to XR5.3.3 although users are getting put into the root-system user group and have read/write/execute/debug permission on all task groups they can't enter basic commands.

Here's "user1" authenticated by ACS and put into the root-system group -

RP/0/RSP0/CPU0:rtr-01#show user

fliney

RP/0/RSP0/CPU0:rtr-01#show user authentication method

Fri Apr  8 12:24:05.350 UTC

ACS1

RP/0/RSP0/CPU0:rtr-01#show user group

Fri Apr  8 12:25:20.423 UTC

root-system

and he has all the task permissions you'd expect -

RP/0/RSP0/CPU0:rtr-01#show user tasks

Fri Apr  8 12:26:28.051 UTC

Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG

Task:                  acl  : READ    WRITE    EXECUTE    DEBUG

Task:                admin  : READ    WRITE    EXECUTE    DEBUG

etc

Task:              root-lr  : READ    WRITE    EXECUTE    DEBUG (reserved)

Task:          root-system  : READ    WRITE    EXECUTE    DEBUG (reserved)

etc

Task:            universal  : READ    WRITE    EXECUTE    DEBUG (reserved)

etc

Task:                 vpdn  : READ    WRITE    EXECUTE    DEBUG

Task:                 vrrp  : READ    WRITE    EXECUTE    DEBUG

But user1 can't make basic commands like show version

RP/0/RSP0/CPU0:MALC-AGGR-01# show version

% This command is not authorized

A show run reveals he has access to alias commands only... he can't see commands governed by the other task groups.

RP/0/RSP0/CPU0:rtr-01#show running-config

Fri Apr  8 12:43:57.641 UTC

Building configuration...

!! IOS XR Configuration 5.3.3

!! Last configuration change at Fri Apr  8 12:13:40 2016 by admin

!

alias b show bgp ipv4 unicast

alias r show route

alias bs show bgp sum

alias bv show bgp vpnv4 unicast

alias rb router bgp

alias ri router isis

alias int show ipv4 vrf all interface brief

alias int6 show ipv6 vrf all interface brief

alias config config terminal

end

If we roll back to XR4.3.4 then everything is fine again. All the output above is the same, except the user can use all the commands you'd expect, and can see all of the routers configuration in a show run.

I attached a show run aaa which is unchanged between XR4.3.4 and XR5.3.3.

Any advice would be really welcome.

Thanks, 

Frank.

Cisco Employee

hi frank,

hmm your config looks correct! I am thinking that possibly the acs command author is not going correct or the authorization/task group assignment is not doing things right.

I am in between here between authorization of the session vs command authorization because

the show run would still have listed the full config despite command author with this task group setting, though individual commands are showing author issues thrown by AAA/ACS.

could you possible get a debug tacacs and debug aaa author/authen to see which one is throwing us off? that will help also identifying a possible mitigation.

regardless I am fearing we are hitting a bug that needs more investigation.

Another good test would be to eliminate the aaa author commands to see if that alleviates the situation which would be a good proof of issue also.

cheers

xander

New Member

Hi Xander,

Thanks for such a quick response!

We put the following debug on,

debug tacacs

debug tacacs conf

debug tacacs authen

debug tacacs author

debug tacacs detail

debug tacacs io

debug locald
debug locald authen

debug locald author

Then made an SSH connection and did -

show user (works)

show run (works)

show bgp (fails authorization)

show version (fails authoization)

show user all (works)

I've attached the output and the debug.

You can see that for the user is still in the right group and has the right task permissions.

In the debug you can see that the commands which work the router sends am authorization request to locald and to tacacsd, and gets a response from ACS.

For the commands that fail a request is never made to locald or to tacacsd. The authorization fail is made locally.

we tried debug aaa author/authen and didn't get any output which was helpful.

Thanks again.

Frank.

New Member

Thanks for great article. we recentlydeployed an asr9k with 5.3.3 and it comes default cisco/cisco credentials, how can we change the password ?

Also we need to create a username/passwd for customer for monitoring purpose (like monitoring links/snmp access etc) what group they should be part of.

Cisco Employee

Arjun,

Did you receive an ASR9K with default user/pass? If so there must have been an error somewhere, the boxes should ship without any password. To change this or view it:

1) login

2) Type "admin"

3) show run to view the user and the groups they belong too.

4) Edit the user/pass, or create a new one by config t

5) give the user full root-system, cisco-support access, so they can have all rights to get around the system. Or one of the other default task groups as seen in the document, if you don't want that, you can create your own task group for this user, but thats old school stuff, today operators wants to be quick and creative, if you limit their access they get less creative. 

Regards

Eddie.

New Member

thanks eddie, i will check that once i visit the site.

other doubt was : I have to give them an ID / passwd just for monitoring purpose mainly for their NOC

(link,interface monitoring etc) so i am planning to give them 'operator' access with below command. is that correct ?

(config)#username abcd group operator
(config)#username abcd password abcd

but I see these 'operator' user can get in to conf t   mode, any way to restrict them doing so.

30511
Views
0
Helpful
63
Comments