Solved: creating username-passwd on IOS XR

Arjun Dabol · ‎05-09-2016

hello experts,

i have a doubt and seek your help.

1. IOS XR (asr9k) comes with default cisco/cisco credentials having full access - if I want to change the password how that can be done ?

2. If I need to create an just for monitoring purpose - how that can be done in IOS XR ?

any help is highly appreciated.

Thanks

xthuijs · ‎05-19-2016

Ah I see now arjun, if you are in normal config (not admin config) you can reach the group:

RP/0/RSP1/CPU0:ios(config)#username arjun group ?
WORD           Name of the user group
....
read-only-tg   Read only group
...
sysadmin       System administrators group

cheers!

xander

View solution in original post

xthuijs · ‎05-19-2016

yeah XR BGP has an extra check that is wants to see an ipv6 address on the interface that it is peering for on the v6 family also.

this makes sense (generally in non 6PE configurations) that if a next hop of a v6 is received in the AF-v6-unicast that there needs to be a path to it also.

so while IOS doesn't give that check, XR does, and is actually the better thing to do.

xander

View solution in original post

AARON WEINTRAUB · ‎05-11-2016

admin config

no username cisco

end

For your second, of course it can be done, but you need to understand task-groups, etc. Please read https://supportforums.cisco.com/document/61306/asr9000xr-using-task-groups-and-understanding-priv-levels-and-authorization and see if that answers any questions. As a further aside, you might want to look into some sort of centralized authentication, RADIUS or TACACS.

xthuijs · ‎05-11-2016

there is a default task-group in XR 5.3.3 onwards that is a read only for all tasks.

if you add a user with task group "read-only-tg" like this:

admin

conf

user USER

secret <pw>

group read-only-tg

commit

and you have a user that can only do shows, not config or debug.

cheers

xander

Arjun Dabol · ‎05-19-2016

Hi Xander I have a asr9001 with 5.3.3. I could not see any such option. please see attach.is there anything I am missing. please help

xthuijs · ‎05-19-2016

Ah I see now arjun, if you are in normal config (not admin config) you can reach the group:

RP/0/RSP1/CPU0:ios(config)#username arjun group ?
WORD           Name of the user group
....
read-only-tg   Read only group
...
sysadmin       System administrators group

cheers!

xander

Arjun Dabol · ‎05-19-2016

thankyou sir :) I will check it again once I go to the site .

Arjun Dabol · ‎05-19-2016

Hi Xander,

are you aware about this issue :

where if you try to bring BGP neighborship UP between an IOS and IOS XR router and both having IPV6 address family enabled.

we see error "no global address configured" in "sh bgp nei" output anf BGP neighborship does not come up. the workaround is to configure any IPV6 address on Loopback of IOS XR router.

so I wanted to use just any IPV6 address ..

i am planning some thing like ... "fc00:180:222:222:250::/128 where 180.222.222.250 is IOS loopback.

Please suggest .

xthuijs · ‎05-19-2016

yeah XR BGP has an extra check that is wants to see an ipv6 address on the interface that it is peering for on the v6 family also.

this makes sense (generally in non 6PE configurations) that if a next hop of a v6 is received in the AF-v6-unicast that there needs to be a path to it also.

so while IOS doesn't give that check, XR does, and is actually the better thing to do.

xander

Arjun Dabol · ‎06-06-2016

Hi Xander, this is off the topic but hoping you could guide here.

I have a some PEs which are peering with 2 RR ...on is IOS and another is IOS XR router.(this is during migration activity from 7600 to asr9k)

what I am noticing is if IOS RR shows that it is receiving 5000 prefixes, at the same time IOS XR RR shows 5400 prefixes as received.

Also in some case, there is difference between number of prefixes PE advertising v/s number of prefixes RR receives .

any idea if this is expected.

thanks in advance

xthuijs · ‎06-07-2016

hi arjun,

yeah it is not very much related to AAA and usernames this eh :) best to move this one to the main forum so everyone can see and chime in.

it could depend on the selection algorithm between the 2 RR's.

I think we need to do some more investigation on the precise prefix that is or is not received and then check why not.

could it be some policy-map/route-map that is manipulating/dropping routes?

also I have seen some versions whereby the show bgp received was not displaying correctly. so you may want to reverify the outputs with a

show bgp | i <nexthop> | i util wc -l to count lines of output and see if there is a discrepancy.

xander

b.childs · ‎02-16-2018

Similar question... We're using TACACS for authentication on our ASR9006 ios xr. Is it possible to create a local user with a low privilege level (just show commands) that could bypass TACACS for just that user while still running TACACS for everyone else?

Changing the users privilege level in TACACS doesn't seem to be working, otherwise I'd just do that.

Thanks - Brandon