Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1478
Views
0
Helpful
2
Replies

IOS XR Tasks ID

dfranjoso
Level 1
Level 1

‎09-14-2012 08:22 AM

Hello dear IOSXR experts,

I have the need to limit user access to a ASR9K box like this:

Service_Operator -> access to configure/monitor L3VPN, L2VPN (VLL&VPLS), Edge QoS (edge interfaces), MVPN, etc;

Core_Operator -> access to configure/monitor IGP,BGP (except L3VPN),LDP, Core QoS (core interfaces), PIM etc;

Can we, for instance, built a specific task-id with specific commands and then associate it with a task-group ?

I really don't know how to approach this. Any hints would be very welcomed

David

Labels:
0 Helpful
2 Replies 2

Rui Carlos Antunes
Level 1
Level 1

‎09-14-2012 09:17 AM

Hello.

On a simple environment, you could implement ACS Shell Command Authorization Sets, as described in the following document: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

However, in a Service Provider environment, with IOS XR-based routers, I don't think that approach would be easy to implement (or that it would work, even).

Only someone with experience on a similar Service Provider environment can give you feedback on whether you have any chance of applying such commands restrictions on IOS XR.

Good luck.

Rui Antunes

0 Helpful

smilstea
Cisco Employee
Cisco Employee

‎09-14-2012 07:07 PM

Hi David,

Yes it can be done.

Here is a list of task ID's.

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r4.0/task_ids/reference/guide/td40tid.html

There are predefined users and task groups, as well you can create your own users and task groups. You may also setup AAA, these are the basic steps.

(config)# taskgroup taskgroup-name

(config-ta)# description string (optional)

(config-ta)# inherit taskgroup taskgroup name (optional, if you want to borrow from another taskgroup)

(config-ta)# task {read | write | execute} task-id name

(config)# usergroup usergroup-name

(config-ug)# description (optional)

(config-ug)# inherit usergroup usergroup-name (optional, inherit from another usergroup)

(config-ug)# taskgroup task-group-name (associate the user group with a task group, step may be repeated)

(config)# username user-name

(config)# password {0 | 7} password  (or) secret {0 | 5} secret (optional)

(config-un)# group group-name (assign to a user group)

You can view the current users task ID's with 'show user tasks'

Regards,

Sam

0 Helpful
Customers Also Viewed These Support Documents