Re: IOS-XR AAA Issue

balsheikh · ‎05-11-2007

Hi,

I will have to describe our infrastructure if I want to explain our

problem. In our network, we are running both Cisco IOS and Cisco IOS-XR.

Every device is configured for RADIUS authentication and authorization

(exec). This is the used configuration:

Cisco IOS:

--- cut ---

aaa new-model

aaa authentication login default radius local

aaa authorization exec default radius local

!

radius-server host <omitted output>

radius-server key <omitted output>

--- cut ---

Cisco IOS-XR:

--- cut ---

aaa authorization exec default group radius local

aaa authentication login default group radius local

!

radius-server host <omitted output>

radius-server key <omitted output>

--- cut ---

Now the problem description. It is enough to send attribute type 6

(Service-Type) with value 6 (Administrative) to login on Cisco-IOS and get

administrator privilege. But to get administrator privilege on Cisco IOS-XR

I have to send Cisco-AVPair = ?shell:tasks=#root-system? or some other

definition of task list.

And actually the problematic point is when I want to use single admin

account to log on both Cisco IOS and Cisco IOS-XR. IOS-XR can handle this

account configuration, but once I send that Cisco-AVPair to cisco IOS, I

got access-reject.

Attached the debug's file.

So I was trying to find solution for this (basically other method how to

log on IOS-XR and not send task list). I found this web page:

http://www.cisco.com/en/US/products/ps5845/products_configuration_guide_chapter09186a00806f9eb4.html

With this statement:

?AAA supports a mapping between privilege levels defined for the user in

the external TACACS+ server configuration file and local user groups.

Following TACACS+ authentication, the task map of the user group that has

been mapped from the privilege level returned from the external TACACS+

server is assigned to the user. For example, if a privilege level of 5 is

returned from the external TACACS server, AAA attempts to get the task map

of the local user group priv5. This mapping process is similar for other

privilege levels from 1 to 13. For privilege level 15, the root-system user

group is used; privilege level 14 maps to the user group owner-sdr. ?

I was trying to send priv-lvl to Cisco IOS-XR, but nothing like this

mapping happened.

So finally the questions:

? Is this priv-lvl mapping working only for TACACS+ and not

for RADIUS or is there any special configuration needed on Cisco

IOS-XR ?

? What will be your recommendation to solve this issue

(shared RADIUS server for both Cisco IOS and IOS-XR) ? Use of two

separate accounts (one for IOS and one for IOS-XR) is not an option

here, because we are using RSA tokens.

Any comments on that..

carenas123 · ‎05-17-2007

I think probably priv lvl mappings work for TACACS only, switching over ot TACACS may help you. Following links may help you

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

http://www.cisco.com/en/US/products/ps5845/products_command_reference_chapter09186a00806afb36.html

jeremyault · ‎05-17-2007

In RADIUS protocol, authorization settings are passed to the device, at the time of authentication, in the form of attribute value pairs.

This is different from how TACACS works.

Essentially, what you want to do is to pass a vendor-specific attribute value pair to the router or switch at the time of login that specifies the user's privelege level.

The following example causes a user logging in from a network access server to have immediate access to EXEC commands.

cisco-avpair= "shell:priv-lvl=15"

How to Assign Privilege Levels with TACACS+ and RADIUS

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml