Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
3
Helpful
8
Replies

AAA configuration

Mohd Nasir
Level 1
Level 1

‎10-09-2023 11:43 PM

I have 2 cisco iOS-XR router routers model N540-28Z4C-SYS-A and N540X-6Z18G-SYS-A. I have to configure the TACAS+ server on both router to authenticate and authorize with TACAS server. TACAS server IP is 192.168.X.X. Configuration of these model are little bit different from iOS XE routers. Server is reachable from both devices.

 

 

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎10-09-2023 11:53 PM

what is the issue, you mentioned that you configured and AAA Server reachable what you need ?

check below guide  for IOS XR :

https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5xx/system-security/76x/b-system-security-cg-76x-ncs540/configuring-aaa-services.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Mohd Nasir
Level 1
Level 1
In response to balaji.bandi

‎10-09-2023 11:58 PM

What commands need to run for tacas+ and aaa configuration on the routers ? . I can ping Tacas server ip address. Need configuration for router.

MHM Cisco World
VIP
VIP
In response to Mohd Nasir

‎10-10-2023 12:12 AM

You are correct' ios xr is so so different than ios xr.

It so simple with ios xe and hard for ios xr.

The issue with ios xr is control and mgmt plane is divide and hence you need to do correct steps to config aaa server.

For what you need to config aaa for login to ios xr asr9k?

Mohd Nasir
Level 1
Level 1
In response to MHM Cisco World

‎10-10-2023 12:30 AM

I have run the below commands on router iOS XE, and working fine.  Same I want to run on IOS-XR router but not able to run

 

password encryption aes
key config-key password-encrypt xxxxxxxxxxxxx
!
aaa new-model
aaa group server tacacs+ ise_group
server name ise
!
aaa authentication login aaa group ise_group local
aaa authentication enable default group ise_group enable
aaa authentication dot1x default group radius local
aaa authorization config-commands
aaa authorization exec aaa group ise_group local
aaa authorization commands 0 aaa group ise_group local
aaa authorization commands 1 aaa group ise_group local
aaa authorization commands 15 aaa group ise_group local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
service password-encryption
!
tacacs server ise
address ipv4 xxxxxxxxx
key xxxxxxxxxxxx
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
line con 0
stopbits 1
line aux 0
line vty 0 4
password 0 xxxxxxxxxxx
authorization commands 0 aaa
authorization commands 1 aaa
authorization commands 15 aaa
authorization exec aaa
logging synchronous
login authentication aaa
transport input ssh
transport output ssh
line vty 5 15
password 0 xxxxxxxxxxx
authorization commands 0 aaa
authorization commands 1 aaa
authorization commands 15 aaa
authorization exec aaa
logging synchronous
login authentication aaa
transport input ssh
!
ip tacacs source-interface loopback 10
!

0 Helpful

MHM Cisco World
VIP
VIP
In response to Mohd Nasir

‎10-10-2023 12:43 AM

check link I share, check the task group.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Mohd Nasir

‎10-10-2023 04:32 AM

IOS XE and IOS XR some command sytax are different, you may not get all 100% what you looking to work (depends on the version of IOS XR you using)

i would suggest with basic TACACS config and from there you improve the config to work as expected : (make sure you have local account in case you lockout to use local login)

above document URL i have provided have section (Configure TACACS+ Server)

it got simple config to configure and test it (and let us know what is not working ? from there we can guide you ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Gopinath_Pigili
Spotlight
Spotlight

‎10-10-2023 04:45 AM - edited ‎10-10-2023 04:51 AM

Here are the sample configurations:

IOS-XE

 

aaa authentication login VTY group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

 

tacacs server TACACS-SERVER

address ipv4 192.168.x.x

key 7 1234567890

 

ip tacacs source-interface Loopback0

 

 

IOS-XR:

 

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands VTY start-stop group tacacs+

aaa authorization exec VTY group tacacs+ none

aaa authorization commands VTY group tacacs+ none

aaa authentication login VTY group tacacs+ line local

 

tacacs source-interface Loopback0 vrf default

tacacs-server host 192.168.x.x port 49

key 7 1234567890123456789

 

Best regards
******* If This Helps, Please Rate *******

Customers Also Viewed These Support Documents