Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3728
Views
0
Helpful
7
Replies

Cisco ASR 9006 IOS XR 4.3.0 aaa authorization

leonardo_liberati
Level 1
Level 1

‎02-20-2014 03:16 AM

Hi,

I've configured two Cisco ASR 9006 with IOS XR 4.3.0 with the aaa. I've a problem with the authorization statement.

I need to distiguish two groups.

  • Network Administrator (Full access, show, configuration etc etc)
  • Network Viewer (Users in this group can use only the show command)

I cannot find anything clear on the documentation. Can you help me?

Below the actual configuration (without authorization)

tacacs source-interface Loopback0 vrf default

tacacs-server host 10.10.10.1 port 49

!

tacacs-server key 7 XXXXXXXXXX

tacacs-server timeout 10

username emergency

group netadmin

password 7 XXXXXXXXXXXXXXX

!

aaa accounting exec default start-stop group ACS

aaa accounting system default start-stop group ACS

aaa group server tacacs+ ACS

server 10.10.10.1

!

aaa authentication login default group ACS local

I have configured two Shell Command Authorization Sets in my ACS. One for ReadOnly and one for Full Access.

The ReadOnly Group (called AccessoSolaLettura) is on the attacched png called asr_1.PNG

The Full Access Group (called AccessCompleto) is on the attached png called asr_2.PNG

I associated this Shell Authorization sets to two users group. (Network Administrator and Network Viewer).

The first one with Level 15 and the second one with Level 7. (Attached file ACS_1.png and ACS_2.png)

Can you tell me if the ACS configuration is right and which configuration is needed on the ASR?

The ACS Release is 4.2(0) Build 124.

Tnx

Leonardo


Labels:
Preview file
22 KB
Preview file
17 KB
Preview file
18 KB
Preview file
21 KB
0 Helpful
7 Replies 7

smilstea
Cisco Employee
Cisco Employee

‎02-20-2014 10:23 AM

Hi Leonardo,

In XR we have the concept of tasks and taskgroup for determining what a user can do, and we recommend using this. For tasks we have the read/write/execute/debug permissions.

For instance to run 'show bgp summary' we need the read permission on the task BGP. Instead of assigning individual permissions per user we can create a taskgroup and the user can inherit everything from a taskgroup.

So for instance we can add read BGP, read OSPF, and read system to the taskgroup test. We can then have the user inherit the taskgroup test and get all the permissions that taskgroup has. We can inherit multiple tasks and taskgroups.

In addition we have some predefined task groups (for the full access user you will want the cisco-support and root-system taskgroups).

You can find some more information in the following posts

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/security/configuration/guide/b_syssec_cg43xasr9k/b_syssec_cg43asr9k_chapter_010.html

https://supportforums.cisco.com/docs/DOC-15944

HTH,

Sam

0 Helpful

leonardo_liberati
Level 1
Level 1
In response to smilstea

‎02-21-2014 01:00 AM

Ok, it is not 100% clearly.

I've added this statemet on the ASR

taskgroup NetworkViewer

task read acl

task read bgp

task read basic-services

!

usergroup NetworkViewer

taskgroup NetworkViewer

!

but I didn't understand what I have to do on the ACS :-(

0 Helpful

smilstea
Cisco Employee
Cisco Employee
In response to leonardo_liberati

‎02-24-2014 09:22 AM

Hi,

We can reference the usergroups defined on the ASR9K (such as NetworkViewer), or we can define the tasks in tacacs, or thirdly use both.

Here is an example of doing both where we reference the operator usergroup on the 9K and give additional tasks. To give a user named user1 BGP read, write, and execute  permissions and include user1 in the usergroup named operator, the  username entry in the external server’s TACACS+ configuration file would  look similar to the following: 

user = user1{
member = some-tac-server-group
opap = cleartext "lab"
service = exec {
task = "rwx:bgp,#operator"
}
}

Just as a note, in case it helps, if you were using radius this would look similar to this:

Cisco-AVPair = "shell:tasks=#operator,rwx:bgp"

HTH,

Sam

0 Helpful

leonardo_liberati
Level 1
Level 1
In response to smilstea

‎02-25-2014 01:48 AM

Tnx a lot for your answer. I understand now what you told me.

But in my case I need to give READ accesss for all comands for users in a specified group. I'm not able to do this task. With predefinied group I don't have this opportunity and my customer doesn't want all the taskgroup in the ASR configuration. On the ACS there is also a limited number of tasks that I can write in the custom attributes.

Can you help me?

0 Helpful

smilstea
Cisco Employee
Cisco Employee
In response to leonardo_liberati

‎02-25-2014 05:26 AM

While it will increase the length of the running-config the best option is to set all tasks as read on the ASR9K taskgroup as well as execute for the basic-services task (gives you ping and traceroute) and then apply this in ACS.

HTH,

Sam

0 Helpful

leonardo_liberati
Level 1
Level 1
In response to smilstea

‎02-25-2014 05:51 AM

My customer doesn't want a long configuration on the ASR :-( Is there another way to do that?

0 Helpful

smilstea
Cisco Employee
Cisco Employee
In response to leonardo_liberati

‎02-26-2014 08:22 AM

This is the simplest way to achieve this, and should be 30 or 50 lines so not too big.

Thanks,

Sam

0 Helpful
Customers Also Viewed These Support Documents