Cisco Support Community
Community Member

IOS XR Command authorization with ACS server

We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.

In ACS, we have two groups: Group 1 and Group 2

Group 1 allows full access in the shell command authorization set.

Group 2 allows limited access in the shell command set (basically just show commands).

Both groups can login fine (aaa authentication login default group <groupname> local)

Group 1 has full access to everything (group I am in). 

Group 2 has NO access to anything (can't even perform show commands).

Group 2 CAN access other IOS devices and can perform the various show commands.

With regards to our authorization commands, we currently have it configured as:

aaa authorization commands default group <groupname> local

Why is it working for the one group, but not the other?  I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with.  I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.



Everyone's tags (2)
Cisco Employee

IOS XR Command authorization with ACS server

dont have enough info to give you a full conclusive answer Kyle, but some suspicions.

Task group not set right?

Command groups not defined properly in tacacs for command author.

if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )

More info here:


Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
CreatePlease to create content