[c-nsp] IOS XR AAA
Tassos Chatzithomaoglou
achatz at forthnetgroup.gr
Tue May 21 10:31:37 EDT 2013
We've been using the following for IOS/NXOS/IOSXR/JUNOS on tacacs.
user = test {
default service = deny
service = junos-exec {
local-user-name = xxx
allow-commands = "..."
}
service = exec {
priv-lvl=15
optional shell:roles="network-admin"
optional task="#root-system"
}
cmd = ... { permit ... }
}
--
Tassos
Jared Mauch wrote on 20/05/2013 21:04:
> On May 20, 2013, at 1:56 PM, "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com> wrote:
>
>>
>> On 20/05/2013 17:00, "Shane Heupel" <sheupel at twlakes.coop> wrote:
>>
>>> We just purchased a couple of ASR9Ks and we're trying to set up AAA to
>>> our free radius servers. We have the ASRs configured to authenticate
>>> against the AAA servers but are having some trouble with the user
>>> attributes being passed between the ASRs and AAA server that define which
>>> task group each user is assigned. Does anyone have a radius
>>> configuration that they would mind sharing?
>>>
>>> Example user:
>>> username bob
>>> group netadmin
>>> group sysadmin
>>> group cisco-support
>>>
>> you need to include
>>
>> Cisco-avpair = "shell:task=#netadmin,#sysadmin,#cisco-support"
>>
>>
>> in the profile.. If you send this profile to non-XR system, they might
>> choke, so you might need to make it optional via
>>
>> Cisco-avpair = "shell:task*#netadmin,#sysadmin,#cisco-support"
> You can also just do this:
>
> usergroup priv15
> taskgroup root-system
> taskgroup cisco-support
> !
>
> (depending on which groups you need).
>
> - Jared
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list