09-14-2012 08:22 AM
Hello dear IOSXR experts,
I have the need to limit user access to a ASR9K box like this:
Service_Operator -> access to configure/monitor L3VPN, L2VPN (VLL&VPLS), Edge QoS (edge interfaces), MVPN, etc;
Core_Operator -> access to configure/monitor IGP,BGP (except L3VPN),LDP, Core QoS (core interfaces), PIM etc;
Can we, for instance, built a specific task-id with specific commands and then associate it with a task-group ?
I really don't know how to approach this. Any hints would be very welcomed
David
09-14-2012 09:17 AM
Hello.
On a simple environment, you could implement ACS Shell Command Authorization Sets, as described in the following document: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
However, in a Service Provider environment, with IOS XR-based routers, I don't think that approach would be easy to implement (or that it would work, even).
Only someone with experience on a similar Service Provider environment can give you feedback on whether you have any chance of applying such commands restrictions on IOS XR.
Good luck.
Rui Antunes
09-14-2012 07:07 PM
Hi David,
Yes it can be done.
Here is a list of task ID's.
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r4.0/task_ids/reference/guide/td40tid.html
There are predefined users and task groups, as well you can create your own users and task groups. You may also setup AAA, these are the basic steps.
(config)# taskgroup taskgroup-name
(config-ta)# description string (optional)
(config-ta)# inherit taskgroup taskgroup name (optional, if you want to borrow from another taskgroup)
(config-ta)# task {read | write | execute} task-id name
(config)# usergroup usergroup-name
(config-ug)# description (optional)
(config-ug)# inherit usergroup usergroup-name (optional, inherit from another usergroup)
(config-ug)# taskgroup task-group-name (associate the user group with a task group, step may be repeated)
(config)# username user-name
(config)# password {0 | 7} password (or) secret {0 | 5} secret (optional)
(config-un)# group group-name (assign to a user group)
You can view the current users task ID's with 'show user tasks'
Regards,
Sam
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: