cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASR9000/XR Using Task groups and understanding Priv levels and authorization

43035
Views
5
Helpful
68
Comments

Introduction

IOS-XR has a very strong embedded mechanism to do user authentication and authorization. While XR does not have the concept of privilege-levels as what IOS had, the embedded user task group management is extremely strong allow for the creation of different task groups.

Tasks

Building blocks for on-box authorization scheme
4 types of permissions per task

  • Read
  • Write
  • Execute
  • Debug

Tasks

aaa

config-services

hsrp

netflow

sbc

acl

crypto

interface

network

snmp

admin

diag

inventory

ospf

sonet-sdh

atm

disallowed

ip-services

ouni

static

basic-services

drivers

ipv4

pkg-mgmt

sysmgr

bcdl

eigrp

ipv6

pos-dpt

system

bfd

ext-access

isis

ppp

transport

bgp

fabric

logging

qos

tty-access

boot

fault-mgr

lpts

rib

tunnel

bundle

filesystem

monitor

rip

universal

cdp

firewall

mpls-ldp

root-lr

vlan

cef

fr

mpls-static

root-system

vrrp

cisco-support

hdlc

mpls-te

route-map

config-mgmt

host-services

multicast

route-policy

Default task-groups

The following task-groups are predefined in IOS-XR

root-system: Root system users

root-lr: Root logical router users

netadmin: Network administrators

sysadmin: System administrators

operator: Operators performing day-to-day activities

cisco-support: highest level of privilege allowing lowest level access

What task group is needed for what command?

If you are unsure as to what task group and permission level you need in order to allow a certain command, use the "describe" keyword.

Example:

RP/0/RSP0/CPU0:A9K-TOP#describe show bgp summary

.....
User needs ALL of the following taskids:

       bgp (READ)

So in order to allow a user to do the command "show bgp summary", we would need to allow the following line in

the task group definition:

task read bgp

It can also be the case that a particular user needs to be member of a particular (pre defined) task group.

such as a Process restart, you can only do when you are member of cisco-support:

RP/0/RSP0/CPU0:A9K-TOP# describe process restart bgp

.........

User needs ALL of the following taskids:

        cisco-support (EXECUTE)

Tasks and user group example

In regular IOS-XR configuration define your task-group with the permissions and tasks you like

RP/0/RSP0/CPU0:A9K-TOP(config)#taskgroup basic-admin
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task debug bgp

You can also define a user group that imports several task groups:

usergroup noc-staff
taskgroup operator
taskgroup basic-admin
inherit usergroup all-users

Privilege levels

As mentioned, XR doesn't have priv levels, but in order to leverage the existing AAA profiles from TACACS used for IOS based routes, we can create user-groups that are named as the privilege levels:

usergroup priv15

taskgroup root-system

taskgroup cisco-support

Now with tacacs we can send the priv via the options in service-exec:


service = exec { priv-lvl = 15 }

or via a radius AVP like:

cisco-avpair = "shell:priv-lvl=15"

NOTE: the syntax of "cisco-avpair" and the capitalization is dependent on the dictionary definition for the cisco avp.

Using AAA

For starters you need to point your user authentication to the external source for authentication:

aaa authorization exec default group tacacs+ local
aaa authentication login default group tacacs+ local

when you add the following to your tacacs profile :

TACACS:

service = exec {
task = "rwx:bgp,#operator"
}

RADIUS:

Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"

you'll inherit the read, write and execute permissions to BGP as well as the user will be part of the local operator group definition.

Either this group is part of the standard cisco embedded groups or it can be something that you have defined locally.

the radius profile allows read/write/execute on BGP, read for OSPF and membership to the sysadmin group

By using AAA you can either reference locally defined task groups OR you can define the task groups in the tacacs/radius response packet

or using a combination of both

Group Membership

To find out which groups you are currently member of while being logged in:

RP/0/RSP0/CPU0:A9K-TOP#show user tasks
Wed Mar 30 18:26:00.768 UTC
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE    DEBUG
Task:                admin  : READ    WRITE    EXECUTE    DEBUG

Command Authorization

In IOS we can do command authorization for each separate priv level. in XR we don't have priv levels hence either command author is enabled for ALL commands or none at all:

RP/0/RSP0/CPU0:A9K-TOP(config)#aaa authorization commands default group ?
  WORD     server-group name
  tacacs+  Use list of all TACACS+ hosts

Note: in order to do command author you must use TACACS, you cannot use radius.


Related Information

n/a

Xander Thuijs - CCIE #6775

Sr Tech Lead ASR9000

Comments
Beginner

https://www.cisco.com/c/en/us/td/docs/ios_xr_sw/iosxr_r3-2/security/configuration/guide/sc_c32/sc32aaa.pdf

 

• sysadmin: Has the ability to control and monitor all system parameters but cannot configure network protocols.

 

Trying this

Beginner

Above group have some write permissions :(

Hi, I use radius as a protocol for AAA (Cisco Access Registrar) and so far users authorized via radius did not have any issues with privilege level on IOS XR and IOS without usage of cisco-avpairs. But now I have new NX OS devices in the network and those devices consider radius as unsafe protocol and by default do not give privileges for users to type commands. In order to receive privileges, by configuration guide, I need to use following cisco-avpair: "shell:roles*\"network-operator vdc-admin\"" As it is said this format should be used, so that devices which do not recognize this avpair will ignore it. But, for some reason IOS XR does not ignore it. With usage of this cisco-avpair, IOS and NX OS devices have necessary privileges, but IOS XR devices proclaim authentication failed and do not allow access to the device. I was considering using following command on IOS XR devices: “radius-server vsa attr ignore unknown”, but I am not sure how it will affect devices. Especially taking into consideration that some of ASR9K devices should be used for BNG and radius protocol will be used for BNG client authentication, not just for device administration. So, what is the right cisco-avpair syntax that should help IOS XR devices, not just NX OS and IOS devices to be able to authenticate and receive the right privileges for administration of devices? Thank you and best regards, Kice
Beginner

Hi Xander,

 

Great topic! 

My quick question, can I make all tasks to read permission?

But I don't want to define any new user group or task group in the router.

I use Cisco ISE (with device administration) to authenticate and authorize user login into router.

I use TACACS+ protocol.

I tried to define task=r:acl,r:aaa,r:admin, (define all tasks with 'r' permission) on Cisco ISE as AAA server but when I login, it said no taskid available.

My goal is, read-only user able to do any show commands, include show run but they are not able to do any configuration

 

Thank you in advance

what is equivalent for the user groups and task groups at Nexus 3k ?

 

how to apply those at Nexus ?

 

 

How I can deny the command "no router static" but allow the commands inside of router static//address-family ipv4/ipv6??

Beginner

Hi Xander

 

I have a doubt. Has you changed the task id from 5.3.3 to 6.4.2 version?. I mean, we have an user in version 5.3.3 who can issue the command show bgp sessions | i Established | utility wc -l, 

 

RP/0/RSP0/CPU0:XXXXX#describe utility wc
Package:
iosxr-infra
iosxr-infra V5.3.3[Default] IOS-XR Infra Package Definition
Vendor : Cisco Systems

 

User needs ALL of the following taskids:

basic-services (EXECUTE)

 

I tried to configure the same user in 6.4.2, but I haven't permission to issue this command

 

RP/0/RSP1/CPU0:XXXXX# show bgp sessions | i Established | utility wc -l
% This command is not authorized

And with other user (root-system) i saw that

 

RP/0/RSP1/CPU0:XXXXX#describe utility wc
Package:
iosxr-infra
iosxr-infra V6.4.2[Default] IOS-XR Infra Package Definition

 

User needs ALL of the following taskids:

basic-services (EXECUTE)
root-lr (EXECUTE)

 

Is necesary to have root-lr to issue "utiltiy"??. Is there any way to issue the command without being root-system?

 

Thanks

Hi Xander,

 

Can You help me out clarify if Radius authentication for SSH access to OOB (MGMT) interface in VRF on ASR9k is supported? Same MGMT interface is used to source Radius packets.

Everything works fine if MGMT interface is not in VRF instance, but after adding VRF it stops working (source IP address is virtual address used by RSPs).

From traces on Radius server I can see that only IOS XR test Radius Access-request and Acounting-Request messages are correctly sent to Radius server. Radius messages contain correct Radius AVP's.

When trying to SSH to ASR, in debug radius output it looks like IOS XR is having trouble fetching attributes (NAS IP, ...) and throws this log:

Failed to send the request to radiusserver :'RADIUS' detected the 'fatal' condition 'No server information is available'

 

It would help me a lot if You can help me out with this.

 

Thank You!

 

BR,

Vladimir

 

 

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey