cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3732
Views
0
Helpful
7
Replies

Cisco ASR 9006 IOS XR 4.3.0 aaa authorization

Hi,

I've configured two Cisco ASR 9006 with IOS XR 4.3.0 with the aaa. I've a problem with the authorization statement.

I need to distiguish two groups.

  • Network Administrator (Full access, show, configuration etc etc)
  • Network Viewer (Users in this group can use only the show command)

I cannot find anything clear on the documentation. Can you help me?

Below the actual configuration (without authorization)

tacacs source-interface Loopback0 vrf default

tacacs-server host 10.10.10.1 port 49

!

tacacs-server key 7 XXXXXXXXXX

tacacs-server timeout 10

username emergency

group netadmin

password 7 XXXXXXXXXXXXXXX

!

aaa accounting exec default start-stop group ACS

aaa accounting system default start-stop group ACS

aaa group server tacacs+ ACS

server 10.10.10.1

!

aaa authentication login default group ACS local

I have configured two Shell Command Authorization Sets in my ACS. One for ReadOnly and one for Full Access.

The ReadOnly Group (called AccessoSolaLettura) is on the attacched png called asr_1.PNG

The Full Access Group (called AccessCompleto) is on the attached png called asr_2.PNG

I associated this Shell Authorization sets to two users group. (Network Administrator and Network Viewer).

The first one with Level 15 and the second one with Level 7. (Attached file ACS_1.png and ACS_2.png)

Can you tell me if the ACS configuration is right and which configuration is needed on the ASR?

The ACS Release is 4.2(0) Build 124.

Tnx

Leonardo


7 Replies 7

smilstea
Cisco Employee
Cisco Employee

Hi Leonardo,

In XR we have the concept of tasks and taskgroup for determining what a user can do, and we recommend using this. For tasks we have the read/write/execute/debug permissions.

For instance to run 'show bgp summary' we need the read permission on the task BGP. Instead of assigning individual permissions per user we can create a taskgroup and the user can inherit everything from a taskgroup.

So for instance we can add read BGP, read OSPF, and read system to the taskgroup test. We can then have the user inherit the taskgroup test and get all the permissions that taskgroup has. We can inherit multiple tasks and taskgroups.

In addition we have some predefined task groups (for the full access user you will want the cisco-support and root-system taskgroups).

You can find some more information in the following posts

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/security/configuration/guide/b_syssec_cg43xasr9k/b_syssec_cg43asr9k_chapter_010.html

https://supportforums.cisco.com/docs/DOC-15944

HTH,

Sam

Ok, it is not 100% clearly.

I've added this statemet on the ASR

taskgroup NetworkViewer

task read acl

task read bgp

task read basic-services

!

usergroup NetworkViewer

taskgroup NetworkViewer

!

but I didn't understand what I have to do on the ACS :-(

Hi,

We can reference the usergroups defined on the ASR9K (such as NetworkViewer), or we can define the tasks in tacacs, or thirdly use both.

Here is an example of doing both where we reference the operator usergroup on the 9K and give additional tasks. To give a user named user1 BGP read, write, and execute  permissions and include user1 in the usergroup named operator, the  username entry in the external server’s TACACS+ configuration file would  look similar to the following:

user = user1{
member = some-tac-server-group
opap = cleartext "lab"
service = exec {
task = "rwx:bgp,#operator"
}
}

Just as a note, in case it helps, if you were using radius this would look similar to this:

Cisco-AVPair = "shell:tasks=#operator,rwx:bgp"

HTH,

Sam

Tnx a lot for your answer. I understand now what you told me.

But in my case I need to give READ accesss for all comands for users in a specified group. I'm not able to do this task. With predefinied group I don't have this opportunity and my customer doesn't want all the taskgroup in the ASR configuration. On the ACS there is also a limited number of tasks that I can write in the custom attributes.

Can you help me?

While it will increase the length of the running-config the best option is to set all tasks as read on the ASR9K taskgroup as well as execute for the basic-services task (gives you ping and traceroute) and then apply this in ACS.

HTH,

Sam

My customer doesn't want a long configuration on the ASR :-( Is there another way to do that?

This is the simplest way to achieve this, and should be 30 or 50 lines so not too big.

Thanks,

Sam