[c-nsp] How TACACS works? IOS vs IOS XR
Sami Joseph
sami.joseph at gmail.com
Sun Feb 1 06:43:44 EST 2009
Hello everyone,
I am trying to understand how TACACS works (Authorization) so i would be
able to understand how this works in IOS XR too.
*IOS:*
Let me take it from scratch, in IOS, we can create a user with local
privileges so if we assign priv. 15 to a user, he'll be able to do
everything.
If we want more granularity, we can use the TACACS server to limit the
commands a user can execute and it works like the following, every command
has an Attribute Value pair, the command is sent to the AAA Server and it
will compare that pair to the configured policy (ex. can do show commands
only)
*In IOS XR:*
We assign task IDs locally so that a user can access L2VPN and Traffic eng
components for example but can not change BGP.
Then there are the root/cisco_support accounts and they give higher
privilege to the user.
So assume i want to brign an XR box into TACACS, do i need to make sure that
the AAA server understands the IOS XR AV pairs or is it a standard format?
Do i need to make anything special on IOS XR for the cisco_support user or i
just treat it just like IOS ?
Thanks,
Sam
More information about the cisco-nsp
mailing list