ASR9000/XR Using Task groups and understanding Priv levels and authorization - Page 3

xthuijs · ‎03-30-2011

Introduction

IOS-XR has a very strong embedded mechanism to do user authentication and authorization. While XR does not have the concept of privilege-levels as what IOS had, the embedded user task group management is extremely strong allow for the creation of different task groups.

Tasks

Building blocks for on-box authorization scheme
4 types of permissions per task

Read
Write
Execute
Debug

Tasks
aaa	config-services	hsrp	netflow	sbc
acl	crypto	interface	network	snmp
admin	diag	inventory	ospf	sonet-sdh
atm	disallowed	ip-services	ouni	static
basic-services	drivers	ipv4	pkg-mgmt	sysmgr
bcdl	eigrp	ipv6	pos-dpt	system
bfd	ext-access	isis	ppp	transport
bgp	fabric	logging	qos	tty-access
boot	fault-mgr	lpts	rib	tunnel
bundle	filesystem	monitor	rip	universal
cdp	firewall	mpls-ldp	root-lr	vlan
cef	fr	mpls-static	root-system	vrrp
cisco-support	hdlc	mpls-te	route-map
config-mgmt	host-services	multicast	route-policy

Default task-groups

The following task-groups are predefined in IOS-XR

root-system: Root system users

root-lr: Root logical router users

netadmin: Network administrators

sysadmin: System administrators

operator: Operators performing day-to-day activities

cisco-support: highest level of privilege allowing lowest level access

What task group is needed for what command?

If you are unsure as to what task group and permission level you need in order to allow a certain command, use the "describe" keyword.

Example:

RP/0/RSP0/CPU0:A9K-TOP#describe show bgp summary

.....
User needs ALL of the following taskids:

bgp (READ)

So in order to allow a user to do the command "show bgp summary", we would need to allow the following line in

the task group definition:

task read bgp

It can also be the case that a particular user needs to be member of a particular (pre defined) task group.

such as a Process restart, you can only do when you are member of cisco-support:

RP/0/RSP0/CPU0:A9K-TOP# describe process restart bgp

.........

User needs ALL of the following taskids:

cisco-support (EXECUTE)

Tasks and user group example

In regular IOS-XR configuration define your task-group with the permissions and tasks you like

RP/0/RSP0/CPU0:A9K-TOP(config)#taskgroup basic-admin
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task debug bgp

You can also define a user group that imports several task groups:

usergroup noc-staff
taskgroup operator
taskgroup basic-admin
inherit usergroup all-users

Privilege levels

As mentioned, XR doesn't have priv levels, but in order to leverage the existing AAA profiles from TACACS used for IOS based routes, we can create user-groups that are named as the privilege levels:

usergroup priv15

taskgroup root-system

taskgroup cisco-support

Now with tacacs we can send the priv via the options in service-exec:


service = exec {
priv-lvl = 15
}

or via a radius AVP like:

cisco-avpair = "shell:priv-lvl=15"

NOTE: the syntax of "cisco-avpair" and the capitalization is dependent on the dictionary definition for the cisco avp.

Using AAA

For starters you need to point your user authentication to the external source for authentication:

aaa authorization exec default group tacacs+ local
aaa authentication login default group tacacs+ local

when you add the following to your tacacs profile :

TACACS:

service = exec {
task = "rwx:bgp,#operator"
}

RADIUS:

Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"

you'll inherit the read, write and execute permissions to BGP as well as the user will be part of the local operator group definition.

Either this group is part of the standard cisco embedded groups or it can be something that you have defined locally.

the radius profile allows read/write/execute on BGP, read for OSPF and membership to the sysadmin group

By using AAA you can either reference locally defined task groups OR you can define the task groups in the tacacs/radius response packet

or using a combination of both

Group Membership

To find out which groups you are currently member of while being logged in:

RP/0/RSP0/CPU0:A9K-TOP#show user tasks
Wed Mar 30 18:26:00.768 UTC
Task:                  aaa : READ    WRITE    EXECUTE    DEBUG
Task:                  acl : READ    WRITE    EXECUTE    DEBUG
Task:                admin : READ    WRITE    EXECUTE    DEBUG

Command Authorization

In IOS we can do command authorization for each separate priv level. in XR we don't have priv levels hence either command author is enabled for ALL commands or none at all:

RP/0/RSP0/CPU0:A9K-TOP(config)#aaa authorization commands default group ?
WORD server-group name
tacacs+ Use list of all TACACS+ hosts

Note: in order to do command author you must use TACACS, you cannot use radius.

Related Information

n/a

Xander Thuijs - CCIE #6775

Sr Tech Lead ASR9000

xthuijs · ‎09-15-2015

yeah xr doesnt have that concept of rotary groups.

you could as alternative outsource auth to tacacs and local as second method.

if tacacs is unavailable, local will kick in and the local user can be used in taht case.

xander

Atahar Khan · ‎09-15-2015

we are looking to make both TACACS and local work at the same time.

will it work if i change the authentication order local first and then TACACS ?

Garry Peirce · ‎10-16-2015

Xander,

I was curious if you might recall if any action became of this request.

That is, enabling a taskgroup with readonly access to all by default.

thanks,

xthuijs · ‎10-16-2015

Hey Gary, yes we have that now too!!

CSCuj97480 need standard task group with only read permissions for all tasks

I noticed that it didn't have the usability attribute hence was not seen on any of the XR usability updates. But hopefully this response suffices :)

cheers!

xander

Garry Peirce · ‎10-16-2015

ok - the BugID mentions it's in 5.3.3 /6.0 which aren't out yet, correct?

xthuijs · ‎10-16-2015

Oh sorry I forgot to mention that yeah, it is in 533 onwards, and 533 is Jan of 2016.

the eigrp passive default is there also! :)

xander

Garry Peirce · ‎10-16-2015

ok.

re: eigrp default passive, excellent - thanks!

gimaknaime1983 · ‎01-24-2016

Hi Xander,

I have configured tacacs+ aaa on a ASR9010 IOS XR 5.1 and using an external aaa ACS 5.7. Could you show an example of the custom attributes you would configure on ACS 5.7 in.

Policy Elements >

Authorization and Permissions >

Device Administration >

Shell Profiles

When i try to login using username from external server, i get asked to enter username again. Local usernames work however i get the response:

Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.

Am thinking its the configuration on ACS thats not correct thus no request with proper permissions being supplied to IOS-XR device?

Thanks and cheers,

Gima

xthuijs · ‎01-25-2016

hi gima,

could you share with me the full aaa configuration?

also show me what you have for the local username configuration and what you have provisioned in the ACS server for a user currently.

I am suspecting that either the aaa authorization piece is not configured correctly that points to the tacacs server to get author data, OR that the author data received from ACS is not providing the right permission level for this user. e.g. you'd need to send a taskgroup to the user to provide the permission level this user currently has. (example above on how to send the taskgroup:

shell:tasks=#sysadmin

the #<name> provides the taskgroup for the user.

regards!

xander

gimaknaime1983 · ‎01-25-2016

hi Xander,

When i enter a username and password that resides in the ACS, i don't get a '% Authentication failed' rather i get asked again. I hope i don't need a reload.

The asr9k config is below:

RP/0/RSP0/CPU0:ASR9010(config)#do ping vrf mgmt 192.168.100.1
Thu Jan 21 04:46:31.623 PGT
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

RP/0/RSP0/CPU0:ASR9010(config)#tacacs-server host 192.168.100.1
RP/0/RSP0/CPU0:ASR9010(config-tacacs-host)#tacacs-server host 192.168.100.1 timeout 30
RP/0/RSP0/CPU0:ASR9010(config)#tacacs-server host 192.168.100.1 key 7 ******
RP/0/RSP0/CPU0:ASR9010(config)#tacacs-server host 192.168.100.1 single-connection
RP/0/RSP0/CPU0:ASR9010(config)#tacacs source-interface Bundle-Ether100.100 vrf mgmt
RP/0/RSP0/CPU0:ASR9010(config)#commit comment tacacs
Thu Jan 21 04:48:02.114 PGT

RP/0/RSP0/CPU0:ASR9010(config)#do show tacacs
Thu Jan 21 04:54:48.889 PGT
Server: 192.168.100.1/49 opens=0 closes=0 aborts=0 errors=0
        packets in=0 packets out=0
        status=up single-connect=true

RP/0/RSP0/CPU0:ASR9010(admin)#show run | be username
Thu Jan 21 05:05:05.139 PGT
Building configuration...
username rootuser
 group root-system
 group cisco-support
 secret 5 $1$v86Z$ncTSCrYrb0EeIDYogUeOo0

username gknaime
 group root-system
 group cisco-support
 secret 5 $1$5AtJ$ed6VUcp5visT8p1URuIW./

RP/0/RSP0/CPU0:ASR9010(config)#aaa group server tacacs+ ACSGRP
RP/0/RSP0/CPU0:ASR9010(config-sg-tacacs)#server 192.168.100.1
RP/0/RSP0/CPU0:ASR9010(config-sg-tacacs)#commit
Thu Jan 21 05:08:07.123 PGT

RP/0/RSP0/CPU0:ASR9010(config)#aaa authentication login vty-authen group ACSGRP local
RP/0/RSP0/CPU0:ASR9010(config)#aaa authorization  commands vty-author group tacacs+ ACSGRP
RP/0/RSP0/CPU0:ASR9010(config)#aaa accounting commands line-acct start-stop group ACSG$
RP/0/RSP0/CPU0:ASR9010(config)#commit
Thu Jan 21 05:23:24.739 PGT

RP/0/RSP0/CPU0:ASR9010(config)#aaa default-taskgroup root-system
RP/0/RSP0/CPU0:ASR9010(config)#commit
Thu Jan 21 05:25:12.827 PG

RP/0/RSP0/CPU0:ASR9010(config)#line console
RP/0/RSP0/CPU0:ASR9010(config-line)#login authentication vty-authen
RP/0/RSP0/CPU0:ASR9010(config-line)#authorization commands vty-author
RP/0/RSP0/CPU0:ASR9010(config-line)#accounting commands line-acct
RP/0/RSP0/CPU0:ASR9010(config-line)#commit
Thu Jan 21 05:58:54.268 PGT

RP/0/RSP0/CPU0:ASR9010(config)#line default 
RP/0/RSP0/CPU0:ASR9010(config-line)#login authentication vty-authen
RP/0/RSP0/CPU0:ASR9010(config-line)#authorization commands vty-author
RP/0/RSP0/CPU0:ASR9010(config-line)#accounting commands line-acct
RP/0/RSP0/CPU0:ASR9010(config-line)#commit
Thu Jan 21 06:05:25.011 PGT

ON THE ACS 5.7 Shell Profile Custom Attributes see attachments

much appreciated.

gima

xthuijs · ‎01-26-2016

if you get the username/password prompt again, that means that the system can connect to the tacacs server, but it doesnt like the username/password for this service request.

I see 2 things that need to be adjusted:

- aaa authorization exec needs to be added to your config and template.

- the aaa profile for the user needs to add a service=shell attribute.

you can omit the custom attribute, since you are setting a priv level and use the trick from above to convert the priv level to a usergroup.

generally it is a good idea to have a fallback to local just in case the tacacs server is not avaialble. and console access generally is not protected by Tacacs, since if a person is capable of getting physically to the console, I think worse things can happen besides logging in.

cheers

xander

gimaknaime1983 · ‎01-26-2016

thanks xander much appreciated.

feene1 · ‎03-18-2016

We just got an ACS server and I have it connected to one of our XR boxes. I am passing taskIDs from ACS to the router. The correct permissions are applied but all users can enter configuration mode. They cant really do anything but they can still enter that mode. It has me a bit concerned. Is there a way to limit this and still use task IDs?

r:bgp,rx:basic-services,r:cef,r:rib,r:ipv4,r:ipv6,r:logging,r:monitor,r:network,r:interface

xthuijs · ‎03-18-2016

hi feene, entering the config mode is not protected by a task group ID, but any configuration command will require the "w" permission of the task in question.

so while one can enter the command, there is nothing that they can change unless there is w permissions in any of the tasks set for.

if you want to restrict this further, eventhough you dont really have to, you could possibly add command authorization to it to eliminate the configure keyword from that user's permission.

cheers

xander

frank-nrt · ‎04-08-2016

Hi Xander,

Great article, which has served us well under XR4.3.4 - thank you.

We have authentication happening on ACS, with users and task-groups being passed back.

However following upgrade to XR5.3.3 although users are getting put into the root-system user group and have read/write/execute/debug permission on all task groups they can't enter basic commands.

Here's "user1" authenticated by ACS and put into the root-system group -

RP/0/RSP0/CPU0:rtr-01#show user

fliney

RP/0/RSP0/CPU0:rtr-01#show user authentication method

Fri Apr 8 12:24:05.350 UTC

ACS1

RP/0/RSP0/CPU0:rtr-01#show user group

Fri Apr 8 12:25:20.423 UTC

root-system

and he has all the task permissions you'd expect -

RP/0/RSP0/CPU0:rtr-01#show user tasks

Fri Apr 8 12:26:28.051 UTC

Task: aaa : READ WRITE EXECUTE DEBUG

Task: acl : READ WRITE EXECUTE DEBUG

Task: admin : READ WRITE EXECUTE DEBUG

etc

Task: root-lr : READ WRITE EXECUTE DEBUG (reserved)

Task: root-system : READ WRITE EXECUTE DEBUG (reserved)

etc

Task: universal : READ WRITE EXECUTE DEBUG (reserved)

etc

Task: vpdn : READ WRITE EXECUTE DEBUG

Task: vrrp : READ WRITE EXECUTE DEBUG

But user1 can't make basic commands like show version

RP/0/RSP0/CPU0:MALC-AGGR-01# show version

% This command is not authorized

A show run reveals he has access to alias commands only... he can't see commands governed by the other task groups.

RP/0/RSP0/CPU0:rtr-01#show running-config

Fri Apr 8 12:43:57.641 UTC

Building configuration...

!! IOS XR Configuration 5.3.3

!! Last configuration change at Fri Apr 8 12:13:40 2016 by admin

!

alias b show bgp ipv4 unicast

alias r show route

alias bs show bgp sum

alias bv show bgp vpnv4 unicast

alias rb router bgp

alias ri router isis

alias int show ipv4 vrf all interface brief

alias int6 show ipv6 vrf all interface brief

alias config config terminal

end

If we roll back to XR4.3.4 then everything is fine again. All the output above is the same, except the user can use all the commands you'd expect, and can see all of the routers configuration in a show run.

I attached a show run aaa which is unchanged between XR4.3.4 and XR5.3.3.

Any advice would be really welcome.

Thanks,

Frank.