AAA for IOS-XR 9K

johnlloyd_13 · ‎03-21-2020

hi,

i'll be standardizing AAA using TACACS+ (ISE) on IOS-XR 9Ks. right now it's just doing AAA authentication.

just want to have a similar look on classic IOS for AAA.

can someone confirm if below template is all that's needed?

is the 'console' redundant since i got 'default' defined on the first method?

aaa authentication login default group MYGRP local

aaa authentication login console group MYGRP local

aaa authorization exec default group MYGRP local

aaa authorization commands default group MYGRP local
aaa authorization commands console group MYGRP

aaa accounting exec default start-stop group MYGRP none
aaa accounting system default start-stop group MYGRP none
aaa accounting commands default stop-only group MYGRP none

Giuseppe Larosa · ‎03-21-2020

Hello @johnlloyd_13 ,

I have put ASR 9k under TACACS+ in 2016.

ASR 9000 runs IOS XR users belong to one or more task groups so in IOS XR is more difficult to use AAA.

In addition it is best practice to have console authentication and authorization to use a non default local mode, because you will need to use the console only if the AAA server is not available or the ASR9000 is isolated from the network for any reasons.

Below I provide you a reviewed template the TACACS+ key has to be put in clear text

tacacs source-interface Loopback0 vrf default

tacacs-server host <TACACAS+_server_IPaddress> port 49
key 0 <TACACACS+_key>
single-connection
!

aaa group server tacacs+ tacacs_group
server <TACACAS+_server_IPaddress>

aaa accounting exec default start-stop group tacacs_group
aaa accounting system default start-stop group tacacs_group
aaa accounting commands default start-stop group tacacs_group

aaa authorization exec default group tacacs_group none
aaa authorization commands default group tacacs_group none

aaa authentication login default group tacacs_group local

! special commands to make console connection indipendent from AAA server : requires the rack to be in a safe place

aaa authentication login console local
aaa authorization commands console none

line console
login authentication console
authorization commands console
exit

! the key command to make the users authenticated by AAA able to do everything on the ASR9000

>>aaa default-taskgroup root-system

! the above command is the key for AAA on IOS XR devices

Note:

I am not saying this is the only way to configure AAA on IOS XR, but this works unless AAA commands have changed in newer IOS XR versions.

Hope to help

Giuseppe

johnlloyd_13 · ‎03-22-2020

hi giuseppe,

thanks for the feedback!

a few questions though:

1. why the authorization fallback method is none?

shouldn't it be 'local' instead? or this applies only for authentication?

aaa authorization exec default group tacacs_group none
aaa authorization commands default group tacacs_group none

2. why console should be separated?

can i have AAA for console use TACACS+ (my defined group) then fallback to 'local'?

aaa authentication login console local
aaa authorization commands console none

3. i'm unable to use 'aaa default-taskgroup root-system' even with command syntax help.

is this a typo? or difference in IOS-XR code?

RP/0/0/CPU0:XR(config)#aaa ?
accounting AAA Accounting data
authentication AAA Authentication data
authorization AAA Authorization data
default-taskgroup Default taskgroup to be used for remote authentication
group AAA group definitions
server AAA Server
RP/0/0/CPU0:XR(config)#aaa default-taskgroup ?
WORD Name of the taskgroup to be used
RP/0/0/CPU0:XR(config)#aaa default-taskgroup MYGRP ?
<cr>

Giuseppe Larosa · ‎03-22-2020

Hello @johnlloyd_13 ,

thanks for your kind remarks.

your questions:

>> 1. why the authorization fallback method is none?

Because it is IOS XR and with none you are sure to be able to execute a command when AAA server is not available.

>> 2. why console should be separated?

After initial setup , when you need to use the console port ? Only in case the ASR9000 is isolated or the AAA server is not available for this reason the console case is separated.

Just to add if you have an ASR9000 with two supervisors or two ASR9000 in virtual chassis both supervisor console are available not only the one of the master supervisor.

>> can i have AAA for console use TACACS+ (my defined group) then fallback to 'local'?

As I have tried to explain an IOS XR device does not behave as a classic IOS device.

You can try but if you find your self locked out of console when you need it . You should test it in a lab to verify the correct behaviuor.

>>

3. i'm unable to use 'aaa default-taskgroup root-system' even with command syntax help.

is this a typo? or difference in IOS-XR code?

I am afraid it is a change in IOS XR syntax command. What IOS XR version are you running on your ASR9000?

This command for us was the key to succeed without the users could not do so much on the box.

Hope to help

Giuseppe