cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
71705
Views
15
Helpful
69
Comments
xthuijs
Cisco Employee
Cisco Employee

Introduction

IOS-XR has a very strong embedded mechanism to do user authentication and authorization. While XR does not have the concept of privilege-levels as what IOS had, the embedded user task group management is extremely strong allow for the creation of different task groups.

Tasks

Building blocks for on-box authorization scheme
4 types of permissions per task

  • Read
  • Write
  • Execute
  • Debug

Tasks

aaa

config-services

hsrp

netflow

sbc

acl

crypto

interface

network

snmp

admin

diag

inventory

ospf

sonet-sdh

atm

disallowed

ip-services

ouni

static

basic-services

drivers

ipv4

pkg-mgmt

sysmgr

bcdl

eigrp

ipv6

pos-dpt

system

bfd

ext-access

isis

ppp

transport

bgp

fabric

logging

qos

tty-access

boot

fault-mgr

lpts

rib

tunnel

bundle

filesystem

monitor

rip

universal

cdp

firewall

mpls-ldp

root-lr

vlan

cef

fr

mpls-static

root-system

vrrp

cisco-support

hdlc

mpls-te

route-map

config-mgmt

host-services

multicast

route-policy

Default task-groups

The following task-groups are predefined in IOS-XR

root-system: Root system users

root-lr: Root logical router users

netadmin: Network administrators

sysadmin: System administrators

operator: Operators performing day-to-day activities

cisco-support: highest level of privilege allowing lowest level access

What task group is needed for what command?

If you are unsure as to what task group and permission level you need in order to allow a certain command, use the "describe" keyword.

Example:

RP/0/RSP0/CPU0:A9K-TOP#describe show bgp summary

.....
User needs ALL of the following taskids:

       bgp (READ)

So in order to allow a user to do the command "show bgp summary", we would need to allow the following line in

the task group definition:

task read bgp

It can also be the case that a particular user needs to be member of a particular (pre defined) task group.

such as a Process restart, you can only do when you are member of cisco-support:

RP/0/RSP0/CPU0:A9K-TOP# describe process restart bgp

.........

User needs ALL of the following taskids:

        cisco-support (EXECUTE)

Tasks and user group example

In regular IOS-XR configuration define your task-group with the permissions and tasks you like

RP/0/RSP0/CPU0:A9K-TOP(config)#taskgroup basic-admin
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task read bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write acl
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bfd
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task write bgp
RP/0/RSP0/CPU0:A9K-TOP(config-tg)# task debug bgp

You can also define a user group that imports several task groups:

usergroup noc-staff
taskgroup operator
taskgroup basic-admin
inherit usergroup all-users

Privilege levels

As mentioned, XR doesn't have priv levels, but in order to leverage the existing AAA profiles from TACACS used for IOS based routes, we can create user-groups that are named as the privilege levels:

usergroup priv15

taskgroup root-system

taskgroup cisco-support

Now with tacacs we can send the priv via the options in service-exec:


service = exec { priv-lvl = 15 }

or via a radius AVP like:

cisco-avpair = "shell:priv-lvl=15"

NOTE: the syntax of "cisco-avpair" and the capitalization is dependent on the dictionary definition for the cisco avp.

Using AAA

For starters you need to point your user authentication to the external source for authentication:

aaa authorization exec default group tacacs+ local
aaa authentication login default group tacacs+ local

when you add the following to your tacacs profile :

TACACS:

service = exec {
task = "rwx:bgp,#operator"
}

RADIUS:

Cisco-AVPair = "shell:tasks=#sysadmin,rwx:bgp,r:ospf"

you'll inherit the read, write and execute permissions to BGP as well as the user will be part of the local operator group definition.

Either this group is part of the standard cisco embedded groups or it can be something that you have defined locally.

the radius profile allows read/write/execute on BGP, read for OSPF and membership to the sysadmin group

By using AAA you can either reference locally defined task groups OR you can define the task groups in the tacacs/radius response packet

or using a combination of both

Group Membership

To find out which groups you are currently member of while being logged in:

RP/0/RSP0/CPU0:A9K-TOP#show user tasks
Wed Mar 30 18:26:00.768 UTC
Task:                  aaa  : READ    WRITE    EXECUTE    DEBUG
Task:                  acl  : READ    WRITE    EXECUTE    DEBUG
Task:                admin  : READ    WRITE    EXECUTE    DEBUG

Command Authorization

In IOS we can do command authorization for each separate priv level. in XR we don't have priv levels hence either command author is enabled for ALL commands or none at all:

RP/0/RSP0/CPU0:A9K-TOP(config)#aaa authorization commands default group ?
  WORD     server-group name
  tacacs+  Use list of all TACACS+ hosts

Note: in order to do command author you must use TACACS, you cannot use radius.


Related Information

n/a

Xander Thuijs - CCIE #6775

Sr Tech Lead ASR9000

Comments
ciscoexplorer
Level 1
Level 1

https://www.cisco.com/c/en/us/td/docs/ios_xr_sw/iosxr_r3-2/security/configuration/guide/sc_c32/sc32aaa.pdf

 

• sysadmin: Has the ability to control and monitor all system parameters but cannot configure network protocols.

 

Trying this

ciscoexplorer
Level 1
Level 1

Above group have some write permissions :(

Kice Andonovski
Level 1
Level 1
Hi, I use radius as a protocol for AAA (Cisco Access Registrar) and so far users authorized via radius did not have any issues with privilege level on IOS XR and IOS without usage of cisco-avpairs. But now I have new NX OS devices in the network and those devices consider radius as unsafe protocol and by default do not give privileges for users to type commands. In order to receive privileges, by configuration guide, I need to use following cisco-avpair: "shell:roles*\"network-operator vdc-admin\"" As it is said this format should be used, so that devices which do not recognize this avpair will ignore it. But, for some reason IOS XR does not ignore it. With usage of this cisco-avpair, IOS and NX OS devices have necessary privileges, but IOS XR devices proclaim authentication failed and do not allow access to the device. I was considering using following command on IOS XR devices: “radius-server vsa attr ignore unknown”, but I am not sure how it will affect devices. Especially taking into consideration that some of ASR9K devices should be used for BNG and radius protocol will be used for BNG client authentication, not just for device administration. So, what is the right cisco-avpair syntax that should help IOS XR devices, not just NX OS and IOS devices to be able to authenticate and receive the right privileges for administration of devices? Thank you and best regards, Kice
Arie --
Level 1
Level 1

Hi Xander,

 

Great topic! 

My quick question, can I make all tasks to read permission?

But I don't want to define any new user group or task group in the router.

I use Cisco ISE (with device administration) to authenticate and authorize user login into router.

I use TACACS+ protocol.

I tried to define task=r:acl,r:aaa,r:admin, (define all tasks with 'r' permission) on Cisco ISE as AAA server but when I login, it said no taskid available.

My goal is, read-only user able to do any show commands, include show run but they are not able to do any configuration

 

Thank you in advance

what is equivalent for the user groups and task groups at Nexus 3k ?

 

how to apply those at Nexus ?

 

 

How I can deny the command "no router static" but allow the commands inside of router static//address-family ipv4/ipv6??

Ginkgo
Level 1
Level 1

Hi Xander

 

I have a doubt. Has you changed the task id from 5.3.3 to 6.4.2 version?. I mean, we have an user in version 5.3.3 who can issue the command show bgp sessions | i Established | utility wc -l, 

 

RP/0/RSP0/CPU0:XXXXX#describe utility wc
Package:
iosxr-infra
iosxr-infra V5.3.3[Default] IOS-XR Infra Package Definition
Vendor : Cisco Systems

 

User needs ALL of the following taskids:

basic-services (EXECUTE)

 

I tried to configure the same user in 6.4.2, but I haven't permission to issue this command

 

RP/0/RSP1/CPU0:XXXXX# show bgp sessions | i Established | utility wc -l
% This command is not authorized

And with other user (root-system) i saw that

 

RP/0/RSP1/CPU0:XXXXX#describe utility wc
Package:
iosxr-infra
iosxr-infra V6.4.2[Default] IOS-XR Infra Package Definition

 

User needs ALL of the following taskids:

basic-services (EXECUTE)
root-lr (EXECUTE)

 

Is necesary to have root-lr to issue "utiltiy"??. Is there any way to issue the command without being root-system?

 

Thanks

Hi Xander,

 

Can You help me out clarify if Radius authentication for SSH access to OOB (MGMT) interface in VRF on ASR9k is supported? Same MGMT interface is used to source Radius packets.

Everything works fine if MGMT interface is not in VRF instance, but after adding VRF it stops working (source IP address is virtual address used by RSPs).

From traces on Radius server I can see that only IOS XR test Radius Access-request and Acounting-Request messages are correctly sent to Radius server. Radius messages contain correct Radius AVP's.

When trying to SSH to ASR, in debug radius output it looks like IOS XR is having trouble fetching attributes (NAS IP, ...) and throws this log:

Failed to send the request to radiusserver :'RADIUS' detected the 'fatal' condition 'No server information is available'

 

It would help me a lot if You can help me out with this.

 

Thank You!

 

BR,

Vladimir

 

 

Eugene_dn
Level 1
Level 1

Hello,

Disclaimer: Following text concerns EOL hardware and software, but I have no possibility to test it on more up-to-date router and I don't know if it's fixed in later versions.

When using unprivileged account on ASR9001 running 32-bit 6.9.2 I've met next problems:

  1. The command "show subscriber running-config interface name BE2.1300.ip39899" can be run only by members of root-system group. I've tried to add all permissions for all tasks to non-root user without success.
  2. One can lose all management access to the router using command-line completion (Tab key) with the command "show operational Subscriber Session" on the router with several thousands subscribers.

The communication with router was lost at this point:

show operational Subscriber Session NodeTable Node/NodeName/Rack=0;Slot=RSP0;Instance=CPU0 SrgRoleTable SrgRole/srg=SRGNone SrgSessionTable 

I just pressed Tab after SrgSessionTable and oops! No more access to the router with SSH, Telnet, not even with Serial console.

The router works, accepts new subscriber sessions, just no management access.

After about 8 hrs there was still no management access so I had to powercycle the router in service window time.

Not the thing one would want for unprivileged account.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links