ASR9000/XR Using Task groups and understanding Priv levels and authorization - Page 2

xthuijs · ‎03-30-2011

Introduction

IOS-XR has a very strong embedded mechanism to do user authentication and authorization. While XR does not have the concept of privilege-levels as what IOS had, the embedded user task group management is extremely strong allow for the creation of different task groups.

Tasks

Building blocks for on-box authorization scheme
4 types of permissions per task

Read
Write
Execute
Debug

Tasks
aaa	config-services	hsrp	netflow	sbc
acl	crypto	interface	network	snmp
admin	diag	inventory	ospf	sonet-sdh
atm	disallowed	ip-services	ouni	static
basic-services	drivers	ipv4	pkg-mgmt	sysmgr
bcdl	eigrp	ipv6	pos-dpt	system
bfd	ext-access	isis	ppp	transport
bgp	fabric	logging	qos	tty-access
boot	fault-mgr	lpts	rib	tunnel
bundle	filesystem	monitor	rip	universal
cdp	firewall	mpls-ldp	root-lr	vlan
cef	fr	mpls-static	root-system	vrrp
cisco-support	hdlc	mpls-te	route-map
config-mgmt	host-services	multicast	route-policy

Default task-groups

The following task-groups are predefined in IOS-XR

root-system: Root system users

root-lr: Root logical router users

netadmin: Network administrators

sysadmin: System administrators

operator: Operators performing day-to-day activities

cisco-support: highest level of privilege allowing lowest level access

What task group is needed for what command?

If you are unsure as to what task group and permission level you need in order to allow a certain command, use the "describe" keyword.

Example:

RP/0/RSP0/CPU0:A9K-TOP#describe show bgp summary

.....
User needs ALL of the following taskids:

bgp (READ)

So in order to allow a user to do the command "show bgp summary", we would need to allow the following line in

the task group definition:

task read bgp

It can also be the case that a particular user needs to be member of a particular (pre defined) task group.

such as a Process restart, you can only do when you are member of cisco-support:

RP/0/RSP0/CPU0:A9K-TOP# describe process restart bgp

.........

User needs ALL of the following taskids:

cisco-support (EXECUTE)

Tasks and user group example

In regular IOS-XR configuration define your task-group with the permissions and tasks you like

RP/0/RSP0/CPU0:A9K-TOP(config)#taskgroup basic-admin
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task debug bgp

You can also define a user group that imports several task groups:

usergroup noc-staff
taskgroup operator
taskgroup basic-admin
inherit usergroup all-users

Privilege levels

As mentioned, XR doesn't have priv levels, but in order to leverage the existing AAA profiles from TACACS used for IOS based routes, we can create user-groups that are named as the privilege levels:

usergroup priv15

taskgroup root-system

taskgroup cisco-support

Now with tacacs we can send the priv via the options in service-exec:


service = exec {
priv-lvl = 15
}

or via a radius AVP like:

cisco-avpair = "shell:priv-lvl=15"

NOTE: the syntax of "cisco-avpair" and the capitalization is dependent on the dictionary definition for the cisco avp.

Using AAA

For starters you need to point your user authentication to the external source for authentication:

aaa authorization exec default group tacacs+ local
aaa authentication login default group tacacs+ local

when you add the following to your tacacs profile :

TACACS:

service = exec {
task = "rwx:bgp,#operator"
}

RADIUS:

Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"

you'll inherit the read, write and execute permissions to BGP as well as the user will be part of the local operator group definition.

Either this group is part of the standard cisco embedded groups or it can be something that you have defined locally.

the radius profile allows read/write/execute on BGP, read for OSPF and membership to the sysadmin group

By using AAA you can either reference locally defined task groups OR you can define the task groups in the tacacs/radius response packet

or using a combination of both

Group Membership

To find out which groups you are currently member of while being logged in:

RP/0/RSP0/CPU0:A9K-TOP#show user tasks
Wed Mar 30 18:26:00.768 UTC
Task:                  aaa : READ    WRITE    EXECUTE    DEBUG
Task:                  acl : READ    WRITE    EXECUTE    DEBUG
Task:                admin : READ    WRITE    EXECUTE    DEBUG

Command Authorization

In IOS we can do command authorization for each separate priv level. in XR we don't have priv levels hence either command author is enabled for ALL commands or none at all:

RP/0/RSP0/CPU0:A9K-TOP(config)#aaa authorization commands default group ?
WORD server-group name
tacacs+ Use list of all TACACS+ hosts

Note: in order to do command author you must use TACACS, you cannot use radius.

Related Information

n/a

Xander Thuijs - CCIE #6775

Sr Tech Lead ASR9000

xthuijs · ‎06-07-2013

To find out which command belongs to what task permissions you can use the "describe" keyword (see example above).

If you want to know what say the standard task-group root-system provides, you can create an account with that permission level and do a "show user tasks", it will spit out all the permissions currently assigned to this user.

As for the show run, that is a tricky one. Basically show run will only display those config sections for which you have the right permission level. For instance if "bfd" is not part of your task group permissions, and you do a show run, then you will see the running, but none of the bfd commands that fall under that permission level will be printed.

regards

xander

Florian Frotzler · ‎06-20-2013

Hi Xander,

How can I map existing IOS priviledge levels (e.g. level 2) to IOS-XR task groups? This is an issue when migrating an IOS platform to IOS-XR...

Regards,

Florian

Florian Frotzler · ‎06-20-2013

Hi Xander,

I found out how to configure privX user groups to map the priviledge levels to IOS-XR task groups. Nevertheless, I was not able to find a task list matrix that corresponds to IOS priviledge levels.

Regards,

Florian

xthuijs · ‎06-20-2013

yeah the document above has an example how to create task groups that convert into priv levels from a naming convention that allows you to use the same priv level attributes from your IOS devices in your tacacs profiles.

In IOS priv 0 and 15 are the key ones and basically the levels 1-14 can be used to move the commands from their existing priv level to a new one.

With that, priv0 is merely an operator/monitor level and 15 is full access, which is the equivalent of a task group priv0 which only has read access to every command (so shows). Priv15 is the equivalent to cisco-support/root-system.

And mind you that cisco-support in 43 is merged now (see asr9k blog for more detail on that merge).

regards

xander

Florian Frotzler · ‎06-21-2013

Thank you for the details on this, so I assume I need to map every IOS command to its IOS-XR task counter part manually as there is no matrix somewhere laying around at Cisco?

xthuijs · ‎06-21-2013

The built in usergroup "operator" may already give you a good start of priv level 0.

The priv 15 equivalent is the cisco-support/root-system.

xander

e.nieuwstad · ‎10-08-2013

hi is there a simple way to grant read access to everyhting so in stead of

service = exec {
task = "r:bgp,r:aaa,r:interface,r:ipv4 etc etc etc etc"
}

i would like to do

service = exec {
task = "r:*"
}

xthuijs · ‎10-08-2013

I see two options for you:

1) define a usergroup in XR that takes those permissions and send that task group down via tacacs so you dont have to split it out int he tacacs profile just a copy paste of the config in XR.

2) use the system defined group of operator which I think is a read only only.

xander

e.nieuwstad · ‎10-08-2013

xander,

I tried to second option

taskgroup priv5

inherit taskgroup operator

and I log in with a user who gets priv5 from the tacacs server I am even not able to do a show int brie.

I would like to keep the configuration as simple as possible and in a central place. It appears this is not possible so I think I'll go with updating the tacacs-server with all the required read permissions.

xthuijs · ‎10-09-2013

yup you can and we're close.

with operator I just see, you have the following permissions:

Task: basic-services : READ WRITE EXECUTE DEBUG

Task: cdp : READ

Task: diag : READ

Task: ext-access : READ EXECUTE

Task: logging : READ

so what you need to do is add the permissions for the task of something like this:

taskgroup test

task read interface

and then under the priv5, inherit in this case the "test" group for example.

keep adding all the read permissions you need under test, which is inherited by priv5 and you're all set.

regards

xander

e.nieuwstad · ‎10-09-2013

Xander I understand the taskgroup concept however I would have liked to have a predefined task-group which has read access to everything. The concept is clear thanks again for your help.

xthuijs · ‎10-09-2013

ah ok sorry. I see your request.

ok for now, the only option we have is what we discussed. meantime I will also file a ddts to create a system defined taskgroup "readonly" or whatever that basically gets every task with readonly by default. that might simplify the config then we were discussing on the previous note.

regards

xander

sarmed alkadumi · ‎06-10-2014

Hi Xander,

Thank you for the document, I have a problem allowing the following command to be executed for a specific user: "show policy-map interface xxx" , when I do "describe show policy-map interface xx" it tells me that qos (Read) is the only task ID I need, adding that into the taskgroup doesn't change anything, I still can't type "show policy-map" when i log in with that user account, is there something I am missing here, our ASR 9K is running version 5.1.0 .

thanks and regards,

Sarmed

xthuijs · ‎06-10-2014

Hi Sarmed, yeah that is a known problem...

This is fixed in 513 and 520, the ddts that described this problem is:

CSCuj44719 4.3.x "show policy-map" requires cisco-support (READ) taskid

xander

Atahar Khan · ‎09-15-2015

aaa authentication login mgmt local
aaa authorization commands 1 mgmt local
aaa authorization exec mgmt local
ip ssh port 2000 rotary 1
username mgmt view mgmt password 7 1511021F0725
parser view mgmt
secret 5 $1$GSuD$6sZiw9tIUMLSN2GckpN8eO
commands exec include all show

I am trying to convert this IOS-XE config into IOS XR but rotary command is not supported in XR.
is there any way to achieve the same goal ?

one user will be locally authenticated and others will get authenticated by TACACS.

line vty 5
session-timeout 30
access-class TELNET in
password 7 0822455D0A16
authorization commands 1 mgmt
authorization exec mgmt
login authentication mgmt
rotary 1
transport input telnet ssh
transport output telnet ssh