[c-nsp] How TACACS works? IOS vs IOS XR

Ahmed Maged (amaged) amaged at cisco.com
Sun Feb 1 13:29:27 EST 2009 

Hi Sami,

You are right.

If you have TAC+ then do this.

# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/cisco.log

# configuring key between router

key = cisco

# configuring group privilege, so we don't have to configure it for each
user

group = cisco {
       service = exec {
       priv_lvl = 15

# configure as optional so IOS or other vender router can ignore it

       optional task = "#root-system,#cisco-support"
       }


       }

# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/tac.log


user = amaged {
       login = cleartext "amaged"
       member = cisco
}



amaged-ubuntu#

Regards,
Ahmed
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sami Joseph
Sent: Sunday, February 01, 2009 1:44 PM
To: Cisco-nsp
Subject: [c-nsp] How TACACS works? IOS vs IOS XR

Hello everyone,

I am trying to understand how TACACS works (Authorization) so i would be
able to understand how this works in IOS XR too.

*IOS:*
Let me take it from scratch, in IOS, we can create a user with local
privileges so if we assign priv. 15 to a user, he'll be able to do
everything.

If we want more granularity, we can use the TACACS server to limit the
commands a user can execute and it works like the following, every
command
has an Attribute Value pair, the command is sent to the AAA Server and
it
will compare that pair to the configured policy (ex. can do show
commands
only)


*In IOS XR:*

We assign task IDs locally so that a user can access L2VPN and Traffic
eng
components for example but can not change BGP.

Then there are the root/cisco_support accounts and they give higher
privilege to the user.

So assume i want to brign an XR box into TACACS, do i need to make sure
that
the AAA server understands the IOS XR AV pairs or is it a standard
format?

Do i need to make anything special on IOS XR for the cisco_support user
or i
just treat it just like IOS ?

Thanks,
Sam
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list