[c-nsp] IOS XR AAA

Tassos Chatzithomaoglou achatz at forthnetgroup.gr
Tue May 21 10:31:37 EDT 2013


We've been using the following for IOS/NXOS/IOSXR/JUNOS on tacacs.

user = test {
        default service = deny
        service = junos-exec {
                local-user-name = xxx
                allow-commands = "..."
        }
        service = exec {
                priv-lvl=15
                optional shell:roles="network-admin"
                optional task="#root-system"
        }  
        cmd = ... { permit ... }
}


--
Tassos

Jared Mauch wrote on 20/05/2013 21:04:
> On May 20, 2013, at 1:56 PM, "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com> wrote:
>
>>
>> On 20/05/2013 17:00, "Shane Heupel" <sheupel at twlakes.coop> wrote:
>>
>>> We just purchased a couple of ASR9Ks and we're trying to set up AAA to
>>> our free radius servers.  We have the ASRs configured to authenticate
>>> against the AAA servers but are having some trouble with the user
>>> attributes being passed between the ASRs and AAA server that define which
>>> task group each user is assigned.  Does anyone have a radius
>>> configuration that they would mind sharing?
>>>
>>> Example user:
>>> username bob
>>> group netadmin
>>> group sysadmin
>>> group cisco-support
>>>
>> you need to include
>>
>> Cisco-avpair = "shell:task=#netadmin,#sysadmin,#cisco-support"
>>
>>
>> in the profile.. If you send this profile to non-XR system, they might
>> choke, so you might need to make it optional via
>>
>> Cisco-avpair = "shell:task*#netadmin,#sysadmin,#cisco-support"
> You can also just do this:
>
> usergroup priv15
>  taskgroup root-system
>  taskgroup cisco-support
> !
>
> (depending on which groups you need).
>
> - Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list