cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1222
Views
0
Helpful
2
Replies

IOS XR Tasks ID

dfranjoso
Level 1
Level 1

Hello dear IOSXR experts,

I have the need to limit user access to a ASR9K box like this:

Service_Operator -> access to configure/monitor L3VPN, L2VPN (VLL&VPLS), Edge QoS (edge interfaces), MVPN, etc;

Core_Operator -> access to configure/monitor IGP,BGP (except L3VPN),LDP, Core QoS (core interfaces), PIM etc;

Can we, for instance, built a specific task-id with specific commands and then associate it with a task-group ?

I really don't know how to approach this. Any hints would be very welcomed

David

2 Replies 2

Hello.

On a simple environment, you could implement ACS Shell Command Authorization Sets, as described in the following document: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

However, in a Service Provider environment, with IOS XR-based routers, I don't think that approach would be easy to implement (or that it would work, even).

Only someone with experience on a similar Service Provider environment can give you feedback on whether you have any chance of applying such commands restrictions on IOS XR.

Good luck.

Rui Antunes

smilstea
Cisco Employee
Cisco Employee

Hi David,

Yes it can be done.

Here is a list of task ID's.

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r4.0/task_ids/reference/guide/td40tid.html

There are predefined users and task groups, as well you can create your own users and task groups. You may also setup AAA, these are the basic steps.

(config)# taskgroup taskgroup-name

(config-ta)# description string (optional)

(config-ta)# inherit taskgroup taskgroup name (optional, if you want to borrow from another taskgroup)

(config-ta)# task {read | write | execute} task-id name

(config)# usergroup usergroup-name

(config-ug)# description (optional)

(config-ug)# inherit usergroup usergroup-name (optional, inherit from another usergroup)

(config-ug)# taskgroup task-group-name (associate the user group with a task group, step may be repeated)

(config)# username user-name

(config)# password {0 | 7} password  (or) secret {0 | 5} secret (optional)

(config-un)# group group-name (assign to a user group)

You can view the current users task ID's with 'show user tasks'

Regards,

Sam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: