Re: NCS IOS-XR AAA or username 'group'

johnlloyd_13 · ‎09-08-2021

hi,

i have an NCS router running IOX-XR.

there was some issue with routing on the MGMT VRF and reachability to ISE/TACACS+ so i tried to login using the local user/PW.

i was able to login/authenticate using the local account but i wasn't able to issue any commands.

can someone advise if there's a missing username 'group' that i should add or is there a missing AAA command 'authorization' line?

RP/0/RP0/CPU0:NCS#sh ip int b
Command authorization failed

RP/0/RP0/CPU0:NCS#conf t
Command authorization failed

RP/0/RP0/CPU0:NCS#sh run aaa
Wed Sep 8 12:32:07.570 UTC
username cisco-admin
group root-lr
group cisco-support
secret <SECRET PW>
!
aaa accounting exec default start-stop group ISE-GRP
aaa accounting system default start-stop group ISE-GRP
aaa accounting commands default stop-only group ISE-GRP
aaa group server tacacs+ ISE-GRP
vrf Mgmt-intf
server-private 10.1.1.2 port 49
key <KEY>
!
!
aaa authorization exec default group ISE-GRP local
aaa authorization commands default group ISE-GRP
aaa authentication login default group ISE-GRP local

RP/0/RP0/CPU0:NCS#conf t
Wed Sep 8 12:30:35.931 UTC
RP/0/RP0/CPU0:NCS(config)#username cisco-admin
RP/0/RP0/CPU0:NCS(config-un)#group ?
WORD Name of the user group
cisco-support Cisco support personnel
maintenance Maintenance group
netadmin Network administrators group
operator Operator group
provisioning Provisioning group
read-only-tg Read only group
retrieve Retrieve group
root-lr Root LR group
serviceadmin Service administrators group
sysadmin System administrators group
WORD Name of the user group

Giuseppe Larosa · ‎09-08-2021

Hello @johnlloyd_13 ,

you should provide fallback to local for both authorization commands

>>aaa authorization exec default group ISE-GRP local
aaa authorization commands default group ISE-GRP ! here local is missing
aaa authentication login default group ISE-GRP local

Hope to help

Giuseppe

johnlloyd_13 · ‎09-08-2021

hi giuseppe,

i did check on that earlier. there's no 'local' available as a fallback method?

i was thinking maybe i could set it to 'none' for the second method?

RP/0/RP0/CPU0:NCS#conf t
Wed Sep 8 12:56:41.600 UTC
RP/0/RP0/CPU0:NCS(config)#aaa authorization commands default group ISE-GRP ?
group Use Server-group
none no authorization
<cr>

Giuseppe Larosa · ‎09-08-2021

Hello @johnlloyd_13 ,

in IOS and IOS XE there sholuld be an authenticated or already-authenticate option that would be a fit for your needs

if-autenticated should be the exact keyword in IOS / IOS XE.

you need to find the equivalent for IOS XR

Edit:

I see you have already provided available options I agree on none as fallback option otherwise in case of failure of AAA servers or conectivity issues you cannot change the configuration.

Hope to help

Giuseppe

johnlloyd_13 · ‎09-08-2021

hi giuseppe,

i added 'none' as the second/fallback method and it worked or didn't lock me out from issuing commands.

aaa authorization commands default group ISE-GRP none

RP/0/RP0/CPU0:Sep 9 03:16:11.364 UTC: ifmgr[302]: %PKT_INFRA-LINK-3-UPDOWN : Interface MgmtEth0/RP0/CPU0/0, changed state to Down

Username: cisco-admin
Password:

RP/0/RP0/CPU0:NCS#sh ip int b
Thu Sep 9 03:16:27.100 UTC

Interface IP-Address Status Protocol Vrf-Name

Giuseppe Larosa · ‎09-10-2021

Hello @johnlloyd_13 ,

this is fine.

have you tested if you are able to enter configuration mode when the AAA server is not reachable using the locally defined account ?

I think this is most critical part to check.

Hope to help

Giuseppe