ASR9000/XR Using Task groups and understanding Priv levels and authorization - Page 4

xthuijs · ‎03-30-2011

Introduction

IOS-XR has a very strong embedded mechanism to do user authentication and authorization. While XR does not have the concept of privilege-levels as what IOS had, the embedded user task group management is extremely strong allow for the creation of different task groups.

Tasks

Building blocks for on-box authorization scheme
4 types of permissions per task

Read
Write
Execute
Debug

Tasks
aaa	config-services	hsrp	netflow	sbc
acl	crypto	interface	network	snmp
admin	diag	inventory	ospf	sonet-sdh
atm	disallowed	ip-services	ouni	static
basic-services	drivers	ipv4	pkg-mgmt	sysmgr
bcdl	eigrp	ipv6	pos-dpt	system
bfd	ext-access	isis	ppp	transport
bgp	fabric	logging	qos	tty-access
boot	fault-mgr	lpts	rib	tunnel
bundle	filesystem	monitor	rip	universal
cdp	firewall	mpls-ldp	root-lr	vlan
cef	fr	mpls-static	root-system	vrrp
cisco-support	hdlc	mpls-te	route-map
config-mgmt	host-services	multicast	route-policy

Default task-groups

The following task-groups are predefined in IOS-XR

root-system: Root system users

root-lr: Root logical router users

netadmin: Network administrators

sysadmin: System administrators

operator: Operators performing day-to-day activities

cisco-support: highest level of privilege allowing lowest level access

What task group is needed for what command?

If you are unsure as to what task group and permission level you need in order to allow a certain command, use the "describe" keyword.

Example:

RP/0/RSP0/CPU0:A9K-TOP#describe show bgp summary

.....
User needs ALL of the following taskids:

bgp (READ)

So in order to allow a user to do the command "show bgp summary", we would need to allow the following line in

the task group definition:

task read bgp

It can also be the case that a particular user needs to be member of a particular (pre defined) task group.

such as a Process restart, you can only do when you are member of cisco-support:

RP/0/RSP0/CPU0:A9K-TOP# describe process restart bgp

.........

User needs ALL of the following taskids:

cisco-support (EXECUTE)

Tasks and user group example

In regular IOS-XR configuration define your task-group with the permissions and tasks you like

RP/0/RSP0/CPU0:A9K-TOP(config)#taskgroup basic-admin
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task debug bgp

You can also define a user group that imports several task groups:

usergroup noc-staff
taskgroup operator
taskgroup basic-admin
inherit usergroup all-users

Privilege levels

As mentioned, XR doesn't have priv levels, but in order to leverage the existing AAA profiles from TACACS used for IOS based routes, we can create user-groups that are named as the privilege levels:

usergroup priv15

taskgroup root-system

taskgroup cisco-support

Now with tacacs we can send the priv via the options in service-exec:


service = exec {
priv-lvl = 15
}

or via a radius AVP like:

cisco-avpair = "shell:priv-lvl=15"

NOTE: the syntax of "cisco-avpair" and the capitalization is dependent on the dictionary definition for the cisco avp.

Using AAA

For starters you need to point your user authentication to the external source for authentication:

aaa authorization exec default group tacacs+ local
aaa authentication login default group tacacs+ local

when you add the following to your tacacs profile :

TACACS:

service = exec {
task = "rwx:bgp,#operator"
}

RADIUS:

Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"

you'll inherit the read, write and execute permissions to BGP as well as the user will be part of the local operator group definition.

Either this group is part of the standard cisco embedded groups or it can be something that you have defined locally.

the radius profile allows read/write/execute on BGP, read for OSPF and membership to the sysadmin group

By using AAA you can either reference locally defined task groups OR you can define the task groups in the tacacs/radius response packet

or using a combination of both

Group Membership

To find out which groups you are currently member of while being logged in:

RP/0/RSP0/CPU0:A9K-TOP#show user tasks
Wed Mar 30 18:26:00.768 UTC
Task:                  aaa : READ    WRITE    EXECUTE    DEBUG
Task:                  acl : READ    WRITE    EXECUTE    DEBUG
Task:                admin : READ    WRITE    EXECUTE    DEBUG

Command Authorization

In IOS we can do command authorization for each separate priv level. in XR we don't have priv levels hence either command author is enabled for ALL commands or none at all:

RP/0/RSP0/CPU0:A9K-TOP(config)#aaa authorization commands default group ?
WORD server-group name
tacacs+ Use list of all TACACS+ hosts

Note: in order to do command author you must use TACACS, you cannot use radius.

Related Information

n/a

Xander Thuijs - CCIE #6775

Sr Tech Lead ASR9000

xthuijs · ‎04-08-2016

hi frank,

hmm your config looks correct! I am thinking that possibly the acs command author is not going correct or the authorization/task group assignment is not doing things right.

I am in between here between authorization of the session vs command authorization because

the show run would still have listed the full config despite command author with this task group setting, though individual commands are showing author issues thrown by AAA/ACS.

could you possible get a debug tacacs and debug aaa author/authen to see which one is throwing us off? that will help also identifying a possible mitigation.

regardless I am fearing we are hitting a bug that needs more investigation.

Another good test would be to eliminate the aaa author commands to see if that alleviates the situation which would be a good proof of issue also.

cheers

xander

frank-nrt · ‎04-08-2016

Hi Xander,

Thanks for such a quick response!

We put the following debug on,

debug tacacs

debug tacacs conf

debug tacacs authen

debug tacacs author

debug tacacs detail

debug tacacs io

debug locald
debug locald authen

debug locald author

Then made an SSH connection and did -

show user (works)

show run (works)

show bgp (fails authorization)

show version (fails authoization)

show user all (works)

I've attached the output and the debug.

You can see that for the user is still in the right group and has the right task permissions.

In the debug you can see that the commands which work the router sends am authorization request to locald and to tacacsd, and gets a response from ACS.

For the commands that fail a request is never made to locald or to tacacsd. The authorization fail is made locally.

we tried debug aaa author/authen and didn't get any output which was helpful.

Thanks again.

Frank.

Arjun Dabol · ‎05-09-2016

Thanks for great article. we recentlydeployed an asr9k with 5.3.3 and it comes default cisco/cisco credentials, how can we change the password ?

Also we need to create a username/passwd for customer for monitoring purpose (like monitoring links/snmp access etc) what group they should be part of.

Eddie Chami · ‎05-09-2016

Arjun,

Did you receive an ASR9K with default user/pass? If so there must have been an error somewhere, the boxes should ship without any password. To change this or view it:

1) login

2) Type "admin"

3) show run to view the user and the groups they belong too.

4) Edit the user/pass, or create a new one by config t

5) give the user full root-system, cisco-support access, so they can have all rights to get around the system. Or one of the other default task groups as seen in the document, if you don't want that, you can create your own task group for this user, but thats old school stuff, today operators wants to be quick and creative, if you limit their access they get less creative.

Regards

Eddie.

Arjun Dabol · ‎05-09-2016

thanks eddie, i will check that once i visit the site.

other doubt was : I have to give them an ID / passwd just for monitoring purpose mainly for their NOC

(link,interface monitoring etc) so i am planning to give them 'operator' access with below command. is that correct ?

(config)#username abcd group operator
(config)#username abcd password abcd

but I see these 'operator' user can get in to conf t mode, any way to restrict them doing so.

Eddie Chami · ‎05-09-2016

You can do that two ways:

aaa command authorization

or create your custom groups with read only access.

Eddie.

xthuijs · ‎05-10-2016

to add a quick tip, in XR533, via CSCuj97480 there is a readonly task group also for all basic services that you can leverage: read-only-tg is the group name for that.

cheers

xander

egguitar1985 · ‎05-22-2016

Thanks for your info.

However there is some problem,

As the command "admin show platform" needs a root-system (READ)

RP/0/RSP0/CPU0:ASR-1(admin)#describe show platform

...
User needs ALL of the following taskids:

root-system (READ)

...

A root-lr taskgroup also has too many wirte/execute/debug tasks that I can't set for users.

How can I config a user with a root-system read task, but not with write/execute/debug?

Dimitris Kotsilis · ‎07-05-2016

Hi Xander,

If you want to know what say the standard task-group root-system provides, you can create an account with that permission level and do a "show user tasks", it will spit out all the permissions currently assigned to this user.

So there isn't any command or any document that describes the tasks permitted to the built-in taskgroups?

cisco-support       Technical support group
maintenance         SCAPA maintenance group
netadmin            Network administrators group
operator            Operator group
provisioning        SCAPA provisioning group
retrieve            SCAPA retrieve group
root-lr             Root LR group
root-system         Root system group
serviceadmin        Service administrators group
sysadmin            System administrators group

It would be very helpful.

Cheers,

Dimitris

xthuijs · ‎07-05-2016

hi dimitris,

a command may have a particular task and a permission level. for instance task bgp, permission write (eg to config bgp).

In addition to that, a command may require a particular taskgroup permission,eg needs

to be root-system. root-system gives rwx to all tasks.

I see what you're saying though, a list of what the tasks/permission levels are for these commands.

let me see if this can be done easily.

xander

Dimitris Kotsilis · ‎07-05-2016

I am not sure if we are saying the same thing, so please let me give you an example.

I want to add a user who can execute some specific commands in the device. This user will belong to the usergroup USERGROUP-01.

I have found the relevant task ids needed for these commands, using the "describe" command.

I want to create a custom taskgroup (lets say TASKGROUP-01) and inherit the correct built-in taskgroups and add some extra tasks if needed, in order to import it to USERGROUP-01.

In order to select which built-in to use, I need to know which task ids are permitted under each of the built-in taskgroups.

This can be done either by creating a user abd test all the taskgroups one by one using the "sh user tasks" command (as you suggested) or by finding the information directly:

by reading a relevant document
by executing a command like "show task-ids taskgroup <taskgroup name>", e.g.

show task-ids taskgroup operator (built-in taskgoup)

RP/0/RSP0/CPU0:IOS-XR-ROUTER#show task-ids taskgroup operator
taskgroup operator has the following Task ID(s):
Task:                  acl  : READ
Task:       basic-services  : READ    WRITE    EXECUTE    DEBUG
Task:                  bgp  : READ
Task:                  cdp  : READ
Task:      config-services  : READ
Task:                 diag  : READ
Task:           ext-access  : READ             EXECUTE
Task:            interface  : READ
Task:              logging  : READ
Task:              network  : READ             EXECUTE
Task:                 ospf  : READ
Task:                  qos  : READ
Task:                  rib  : READ
Task:               system  : READ

show task-ids taskgroup TASKGROUP-01 (custom taskgroup)

Hope my need is clear now :)

xthuijs · ‎07-05-2016

ah thanks dimitris, I think we were saying the same thing, but I realize I put it somewhat vaguely.

basically a command that shows which permissions someone would have when belonging to a taskgroup, whether it be built in or custom made (or combo of both).

ok let me go check.

xander

amin.amor · ‎05-11-2017

Hi,

I'm trying to configure the aaa tacacs for the ASR9K. I was expecting to use the predefined:

taskgroup operator

In order to do all the show commands and debug. But the operator task group does not allow me to run the show command for BGP/OSPF/ETC.

I can create new taskgroup adding long lists of tasks.

Do you know any other workaround that allow me to do all show command? (without creating a long task list)

What is the real meaning of this command:

aaa default-taskgroup root-system

Merci

xthuijs · ‎05-11-2017

hi amin,

yeah yeah good news on that, we have a readonly predefined taskgroup now!

RP/0/RP1/CPU0:ASR9922(config)#usergroup BLA

RP/0/RP1/CPU0:ASR9922(config-ug)#taskgroup ?

read-only-tg Read only group <<<

this was added in xr53 though.

cheers

xander

ciscoexplorer · ‎12-15-2017

On iosxr

sergroup readonly taskgroup ?
cisco-support Technical support group
maintenance SCAPA maintenance group
netadmin Network administrators group
operator Operator group
provisioning SCAPA provisioning group
read-only-tg Read only group -------> this task group matches my requirment

I have this task group with name read-only-tg which is readonly. From my experiments in tacacs we could only return a usergroup from tacacs

username test123 group ? --------> not finding any usergroup which matches permission of read-only-tg
WORD Name of the user group
cisco-support Cisco support personnel
maintenance SCAPA maintenance group
netadmin Network administrators group
operator Operator group
provisioning SCAPA provisioning group
retrieve SCAPA retrieve group
root-lr Root LR group
serviceadmin Service administrators group
sysadmin System administrators group

I am not seeing any default usergroup which have readonly permission for all show commands. Is there a way to return taskgroup read-only-tg from tacacs directly?

Or is there a built-in usergroup which have only read only access to all commands?